worm korgo.v

Printable View

August 13th, 2004, 12:37 AM
y2k

worm korgo.v

my officescan client detected that my computer effected with worm korgo.v, bat sasser.A, worm_rbot.zg. it said it cannot perfom cleaning process so it is quarintine. that i run my norton antivirus but my norton antivirus said my system is clean. that my spybot- search and destroy keep on pop me up with "cannot download double click". am my computer effected with virus or it just an error with my system. thank for the reply.
August 13th, 2004, 03:25 AM
hobbdebub

When I used to run windows I noticed that I always had the double click thing. I think that it actually comes from AO (the main ad is from double click I think). Ummm on the sasser worm and korgo, is your Norton up2date? Just a thought.
August 13th, 2004, 03:56 AM
y2k

i have update my norton antivirus. and i have del the directory where the worm exist. but from the norton antivirus web, i found that the worm also create some value inside my registry but when i check it out, the value didn't exist.
i follow the instructiong from http://securityresponse.symantec.com...2.korgo.v.html .now i'm not confident that i system is really secure for worldwide connection.

how can i undo all the thing that the virus do?? i check the registry, thing that i understand, but what about sth like this

Quote:

When W32.Korgo.V is executed, it performs the following actions:

Deletes the file, ftpupd.exe, from the folder in which the worm was executed.

Creates the mutex "uterm19" to ensure that only one instance of the worm is executed on the computer.

Creates the event object "u19x."

Opens the following event objects:

u19
u18
u17
u16
u15
u14
u13i
u13
u12
u11
u10
u18x
u17x
u16x
u15x
u14x
u13x
u12x
u11x
u10x

Deletes the values:

"Windows Security Manager"
"Disk Defragmenter"
"System Restore Service"
"Bot Loader"
"SysTray"
"WinUpdate"
"Windows Update Service"
"avserve.exe"
"avserve2.exeUpdate Service"
"MS Config v13"

one more thing when i run nestat -an it said some port is listening. but the foreign address is 0.0.0.0:0. is it posibility because of the virus activity, if yes how do i disable it.

thank for the quick reply and help
August 13th, 2004, 04:35 AM
Tedob1

ok, once norton quarentines a file it wont detect that file as a virus again. as far as you system is concerned it's gone. norton caught the virus before it had a chance to download all the other files thats why you cant find them. either that or they're in quarintine. try looking in norton 'view>>quarentine'

double-click, aveA, etc., are well known for planting identifying cookies (data miners). spybot blocks them.

both programs are working as they should
August 13th, 2004, 05:26 AM
y2k

just now i run online scanning using panda actice scan. and this is the report.

Quote:

Incident Status Location

Virus:Trj/Qhost.gen Disinfected C:\Program Files\Spybot - Search & Destroy\Includes\Hosts.sbs
Virus:Trj/Sysgotem.B Disinfected C:\WINDOWS\System86.dll

seem like the virus still rest in my sytem. now redo the scanning.
August 13th, 2004, 06:52 AM
y2k

do u think i should format my hd. it is because i have try panda and norton online scan. all of the scanning gave different result. mean they find a virus but with different name and location. i wondering how many virus in my system righ now. just now i redo the scanning with panda, and still alert me i have a virus but different kind of virus.
can i save my hard disk for being formated. just to get rid of this nasty virus.
any idea for me to solve this problem. help needed.
thank q
August 13th, 2004, 08:47 AM
muert0

I think your having conflictions with your AV man. You shouldn't run two anti-virus programs at once. http://service1.symantec.com/SUPPORT...00031316555206