Skip navigation.


More korgo, I guess this is the prevalent malware in my neck of the net.

file: 7f60162c2c0bd2cc7531e51328e98290: MS-DOS executable (EXE), OS/2 or MS Windows
info: 11391 Dec 3 16:42 7f60162c2c0bd2cc7531e51328e98290 md5sum: 7f60162c2c0bd2cc7531e51328e98290 7f60162c2c0bd2cc7531e51328e98290
sha1sum: 14d1aa76e3e787d7ce2080c8a314821bab6f18de 7f60162c2c0bd2cc7531e51328e98290

Event: Threat Found!
Threat: W32.Korgo.S
File: C:\malware\7f60162c2c0bd2cc7531e51328e98290
Date found: Saturday, December 10, 2005 6:47:38 PM

Taken from the current

Taken from the current Bleeding Snort rules
Copyright (c) 2005,
All rights reserved.

alert tcp $HOME_NET any -> any 445 (msg: "BLEEDING-EDGE VIRUS Sasser/Korgo Worm"; flow: to_server,established; flowbits: isset,netbios.lsass.bind.attempt; content:"|FF|SMB"; nocase; offset: 4; depth: 4; content:"|05|"; distance: 59; content:"|00|"; within: 1; distance: 1; content:"|09 00|"; within: 2; distance: 19; reference: bugtraq,10108; reference: cve,2003-0533; reference: url,; classtype: attempted-admin; sid: 2001286; rev:10; )

#Submitted by Nick Hatch
alert tcp $HOME_NET any -> any 445 (msg: "BLEEDING-EDGE Korgo.P offering executable"; flow: to_server,established; content:"|FF|SMB"; depth: 10; content:"|58|http"; content:".exe"; nocase; within: 36; reference: url,; classtype: trojan-activity; sid: 2001337; rev:3; )
alert tcp $HOME_NET any -> any any (msg: "BLEEDING-EDGE Korgo.P binary upload"; flow: to_server,established; content:"|aa4f7ea86c90457d686868f0de687a68689768686868|"; reference: url,; classtype: trojan-activity; sid: 2001338; rev:4; )

" Fuck the fucking fuckers before they fuck you "
- The Rogue Warrior