US-CERT Security Update : New Worm : W32/Korgo.F
Added June 2
US-CERT has received reports of a new worm, referred to as "W32/Korgo.F" or "W32/Padobot". This worm attempts to take advantage of a buffer overflow vulnerability in the Windows Local Security Authority Service Server (LSASS). The vulnerability allows a remote attacker to execute arbitrary code with SYSTEM privileges. More information on this vulnerability is available in Vulnerability Note VU#753212 and Microsoft Security Bulletin MS04-011.
The worm propagates by scanning random IP addresses on port 445/tcp for vulnerable systems. Upon finding a vulnerable system, the worm will attempt to exploit this vulnerability. If successful, this worm will open a connection on port 113/tcp or port 3067/tcp and may attempt to connect to a list of pre-determined IRC servers.
US-CERT strongly encourages users to install and maintain anti-virus software as well as patch their systems to prevent exploitation of the listed vulnerabilities.
[ Comment, Edit or Article Submission ]
