Detections
Analytics
Korgo Worm Detection
critical Nessus Plugin ID 12252
Language:
Synopsis
The remote host is probably infected with the Korgo worm.Description
Nessus found that TCP ports 113 and 3067 are open.The Korgo worm is known to open a backdoor on these ports.
It propagates by exploiting the LSASS vulnerability on TCP port 445 (as described in Microsoft Security Bulletin MS04-011)
** Note that Nessus did not try to talk to the backdoor,
** so this might be a false positive.
Solution
Disable access to port 445 by using a firewall. Additionally, apply Microsoft MS04-011 patch.See Also
http://www.nessus.org/u?0648f11d
https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2004/ms04-011
Plugin Details
Severity: Critical
ID: 12252
File Name: korgo.nasl
Version: 1.21
Type: remote
Family: Backdoors
Published: 5/26/2004
Updated: 11/15/2018
Configuration: Enable paranoid mode
Supported Sensors: Nessus
Vulnerability Information
Required KB Items: Settings/ParanoidReport
Reference Information
MSFT: MS04-011
MSKB: 835732