General discussion

Locked

padobot worm

By computab ·
Symantec say that it creates mutexes "10", "u2", "uterm5". What is mutexes? There does not seem to be any removal tool AVG says it is on the PC, but I have searched the registry and the supposed registry keys are not there. Help please?

This conversation is currently closed to new comments.

7 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

by LMon In reply to padobot worm

mutexex is:
MUTEXES is an MFC sample that demonstrates the use of the CMutex synchronization object. MUTEXES is a dialog-based application that creates two CWinThread objects and uses them to perform a simple task under the user's control.

Here is a link in case you need a better understanding.

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/vcsample/html/_sample_mfc_MUTEXES.asp

Follow the steps to remove the Korgo virus:

http://securityresponse.symantec.com/avcenter/venc/data/w32.korgo.f.html

Collapse -

by computab In reply to

Poster rated this answer.

Collapse -

by LMon In reply to padobot worm

mutexex is:
MUTEXES is an MFC sample that demonstrates the use of the CMutex synchronization object. MUTEXES is a dialog-based application that creates two CWinThread objects and uses them to perform a simple task under the user's control.

Here is a link in case you need a better understanding.

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/vcsample/html/_sample_mfc_MUTEXES.asp

Follow the steps to remove the Korgo virus:

http://securityresponse.symantec.com/avcenter/venc/data/w32.korgo.f.html

Collapse -

by computab In reply to

Poster rated this answer.

Collapse -

by mikex In reply to padobot worm

Sound clear now :

The Korgo Worm

The Korgo worm (also known as Worm.Win32.Padobot.b or Exploit-Lsass.gen) infects Windows systems such as Windows 98, NT, 2000 and XP. It exploits a buffer overflow vulnerability in Windows Local Security Authority System Services (lsass.exe), as described in Microsoft Security Bulletin 04-011. Various mutants of the Korgo worm have been identified. Although each version is somewhat different from the others, similarities between different versions exist in that they:
Create a mutex that allows only one version of Korgo to run an any time.
Under certain conditions copy themselves into the system folder (%systemroot%) on each system they infect. The executable has a randomly-determined name.
Insert a value into the Registry to guarantee that this worm will start every time the infected system boots.
Attempt to connect to certain IRC chat servers such as K01irc.kar.net, gaspode.zanet.org.za, lia.zanet.net, irc.tsk.ru, london.uk.eu.undernet.org, washington.dc.us.undernet.org, los-angeles.ca.us.undernet.org, brussels.be.eu.undernet.org, caen.fr.eu.undernet.org, flanders.be.eu.undernet.org, graz.at.eu.undernet.org, moscow-advocat.ru, and gaz-prom.ru.
Open ports that allow back door access to the infected system.

The fact that Korgo can capture keystrokes on machines that it infects increases the threat that it poses considerably. Individuals who use an Korgo-infected system could expose personal data such as social security numbers and mothers' maiden names and also credit card numbers and other financial information.


And one good article about the protection/removal:

Original Issue Date: 25th June 2004

http://www.mycert.org.my/advisory/MA-075.062004.html

Collapse -

by computab In reply to

Poster rated this answer.

Collapse -

by computab In reply to padobot worm

This question was closed by the author

Back to Windows Forum
7 total posts (Page 1 of 1)  

Related Discussions

Related Forums