Threat Level: green Handler on Duty: Jan Kopriva

SANS ISC: Port 113 - Korgo worm variants - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Port 113 - Korgo worm variants

Korgo worm variant

Some days ago we received some reports about probes for port 113.
Today Symantec upgraded the Korgo .F variant from a Category 2 to Category 3, "due to an increased rate of submissions".

This worm bot variant explores the Microsoft Windows LSASS Buffer Overrun Vulnerability (MS04-011). According to Symantec it also listens on port 113, 3067 and other random ports.

The F-secure Weblog reports about a .G version.

When active, the worm tries to connect on the following IRC servers on port 6667:

And join the #waffen-ss channel to create a bot with a random name.

Handler on duty: Pedro Bueno (

155 Posts
ISC Handler
Jun 3rd 2004

Sign Up for Free or Log In to start participating in the conversation!