Threat Level: green Handler on Duty: Jan Kopriva

SANS ISC: InfoSec Handlers Diary Blog - SANS Internet Storm Center InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Port 113 - Korgo worm variants

Published: 2004-06-02
Last Updated: 2004-06-03 00:00:49 UTC
by Pedro Bueno (Version: 1)
0 comment(s)

Korgo worm variant

Some days ago we received some reports about probes for port 113.
Today Symantec upgraded the Korgo .F variant from a Category 2 to Category 3, "due to an increased rate of submissions".

This worm bot variant explores the Microsoft Windows LSASS Buffer Overrun Vulnerability (MS04-011). According to Symantec it also listens on port 113, 3067 and other random ports.

The F-secure Weblog reports about a .G version.

When active, the worm tries to connect on the following IRC servers on port 6667:

And join the #waffen-ss channel to create a bot with a random name.

Handler on duty: Pedro Bueno (
0 comment(s)
Diary Archives