Korgo Virus

Discussion in 'MCSE' started by Slarty Bartfast, Jun 23, 2004.

  1. We had two days of the LAN being down this week with the Win32.Korgo.I
    virus.
    It has similar behaviour to the Sasser that we spent a whole day on
    'fixing'. We had Microsoft Auto-updates turned of for some reason - MS04-011
    patch would have stopped it, but it wasn't on all our machines.
    It most likely got in via a laptop that was on the net while outside our
    firewall and then brought it in.
    We are updating all our laptops to XP and using it's firewall - better that
    nothing.

    Any suggestions on good laptop policy regarding security - I know that might
    seem a silly question, but we have been using NT4 and 2000 on our laptops
    with good updated virus protection forever, long before I came here, even
    though I knew the lack of a software firewall was a risk and brought the
    issue up a few times.
    --

    Regards,

    Slarty Bartfast
    Slarty Bartfast, Jun 23, 2004
    #1
    1. Advertising

  2. Slarty Bartfast

    JaR Guest

    Slarty Bartfast wrote:
    >
    > Any suggestions on good laptop policy regarding security - I know that might
    > seem a silly question, but we have been using NT4 and 2000 on our laptops
    > with good updated virus protection forever, long before I came here, even
    > though I knew the lack of a software firewall was a risk and brought the
    > issue up a few times.
    >


    Sure, make certain the disk drives, modem and network cards are removed
    before leaving the site.

    Seriously, all you can do is make sure they've got a good software
    firewall operational, and that the luse^H^H^H^Hemployee has been beaten
    about the head and shouders with a clue-stick until a reasonable amount
    has penetrated.

    But when all is said and done, it's kinda like giving the kid the keys
    to the family car on a friday night. You hope and pray that he/she has
    enough sense not to get careless and pile it up, but they're gonna do it
    anyway.

    JaR
    Cynical Thug
    JaR, Jun 24, 2004
    #2
    1. Advertising

  3. Slarty Bartfast

    Neil Guest

    JaR <> wrote in news:uJMIzfXWEHA.712
    @TK2MSFTNGP11.phx.gbl:

    > But when all is said and done, it's kinda like giving the kid the keys
    > to the family car on a friday night. You hope and pray that he/she has
    > enough sense not to get careless and pile it up, but they're gonna do

    it
    > anyway.
    >


    LMHO! this isn't just laptop lusers. Our corp was forced to open up
    access to the desktop for a "mission critical" (*cough*) application. Now
    I hope and pray that the gentle creatures that roam my domain will avert
    their eyes from the happy smiling offer of 5000 smiley faces for free or
    some such. they never do. and not long after we are running spybot
    s&d/adaware (not part standard image)or reimaging the box.

    I'm sure they are also distracted by anything shiny...

    --
    Neil MCNGP #30
    "you'd do what, to who, for how many biscuits?"
    Neil, Jun 24, 2004
    #3
  4. Slarty Bartfast

    Neil Guest

    "Slarty Bartfast" <> wrote in news:#d9WVRXWEHA.1128
    @TK2MSFTNGP10.phx.gbl:

    > Any suggestions on good laptop policy regarding security


    I guess "don't let them have one" is out of the question. too bad.

    If we give out a laptop we also find out if the user has high speed
    access at home. if they do we break open the piggy bank and buy them a
    cheap Linksys firewall. helps a little. if you have AD you should also
    consider SUS (or is it WUS now) and setting a bunch of GPO settings.

    that being said we do all this and still managed to get a new flavour of
    GOABOT recently that we had to work with Symantec on as it was new to
    them and not in the most recent def...

    --
    Neil MCNGP #30
    "you'd do what, to who, for how many biscuits?"
    Neil, Jun 24, 2004
    #4
  5. Slarty Bartfast

    fygar Guest

    On Thu, 24 Jun 2004 08:50:34 +1000, "Slarty Bartfast"
    <> wrote:

    >We had two days of the LAN being down this week with the Win32.Korgo.I
    >virus.
    >It has similar behaviour to the Sasser that we spent a whole day on
    >'fixing'. We had Microsoft Auto-updates turned of for some reason - MS04-011
    >patch would have stopped it, but it wasn't on all our machines.
    >It most likely got in via a laptop that was on the net while outside our
    >firewall and then brought it in.
    >We are updating all our laptops to XP and using it's firewall - better that
    >nothing.
    >
    >Any suggestions on good laptop policy regarding security - I know that might
    >seem a silly question, but we have been using NT4 and 2000 on our laptops
    >with good updated virus protection forever, long before I came here, even
    >though I knew the lack of a software firewall was a risk and brought the
    >issue up a few times.


    Run MSBA to find all lagging machines.
    Patch.
    Set up SUS.
    Set up a managed Antivirus.
    Find a firewall product if not using XP.
    Keep users out of Administrators group.
    Keep users out of Administrators group.
    Keep users out of Administrators group.
    Keep users out of Administrators group.
    ***Do not give access to email w/o using VPN. (This forces the
    occasional connection so the systems will check for updates)

    Remove batteries and power cords

    ....butch
    fygar, Jun 24, 2004
    #5
  6. Slarty Bartfast

    Neil Guest

    fygar <> wrote in
    news::

    > Keep users out of Administrators group.
    > Keep users out of Administrators group.
    > Keep users out of Administrators group.
    > Keep users out of Administrators group.


    Butch, you're stuttering...

    --
    Neil MCNGP #30
    "you'd do what, to who, for how many biscuits?"
    Neil, Jun 24, 2004
    #6
  7. Slarty Bartfast

    Neil Guest

    fygar <> wrote in
    news::

    > Remove batteries and power cords


    the best

    --
    Neil MCNGP #30
    "you'd do what, to who, for how many biscuits?"
    Neil, Jun 24, 2004
    #7
  8. Slarty Bartfast

    fygar Guest

    On Thu, 24 Jun 2004 06:49:34 -0700, Neil <>
    wrote:

    >fygar <> wrote in
    >news::
    >
    >> Keep users out of Administrators group.
    >> Keep users out of Administrators group.
    >> Keep users out of Administrators group.
    >> Keep users out of Administrators group.

    >
    >Butch, you're stuttering...


    I've seen people that are supposed to be our peers solve problems that
    way so many times that I feel like a broken record every time I have
    to deal with it.

    I had a small company call me in because their regular consulting firm
    couldn't get to this request for a few more days. They wanted a web
    based application opened up to the Internet so thier remote employees
    could access it. Easy enough, I'll take a look. All the users were
    domain admins and there were no passwords on the application (not AD
    integrated) I backed away slowly and told them to call me when they
    fixed the problems, otherwise I wasn't poking any holes in the
    firewall.

    These people are paying a lot of money to that consulting firm too.

    .....b
    fygar, Jun 24, 2004
    #8
  9. Slarty Bartfast

    Neil Guest

    fygar <> wrote in
    news::

    > I backed away slowly and told them to call me when they
    > fixed the problems, otherwise I wasn't poking any holes in the
    > firewall.
    >


    *shudder*
    mommy, that man over there is scaring me....

    --
    Neil MCNGP #30
    "you'd do what, to who, for how many biscuits?"
    Neil, Jun 24, 2004
    #9
  10. fygar <> wrote in
    news::

    > I've seen people that are supposed to be our peers solve problems that
    > way so many times that I feel like a broken record every time I have
    > to deal with it.


    Ah yes, like the time the Dot Communists insisted I had to change the
    service account for a web application to an administrator level one, as it
    absolutely wouldn't work otherwise - it wouldn't work because they had
    hard-coded names of administrative shares into some of the file paths. Or
    how I had to grant that same account SA privileges to the SQL Servers,
    because it was "too confusing" to have to owner-qualify some table names...


    --
    http://www.vigo-alessi.com/images/products/1362.jpg
    Vigo Breadcrumbs, Jun 24, 2004
    #10
  11. Slarty Bartfast

    Jtyc Guest

    > Ah yes, like the time the Dot Communists insisted I had to change the
    > service account for a web application to an administrator level one, as it
    > absolutely wouldn't work otherwise - it wouldn't work because they had
    > hard-coded names of administrative shares into some of the file paths. Or
    > how I had to grant that same account SA privileges to the SQL Servers,
    > because it was "too confusing" to have to owner-qualify some table

    names...


    My biggest headache day in day out is crappy programmers.
    Jtyc, Jun 24, 2004
    #11
  12. Jtyc wrote:
    >> Ah yes, like the time the Dot Communists insisted I had to change the
    >> service account for a web application to an administrator level one,
    >> as it absolutely wouldn't work otherwise - it wouldn't work because
    >> they had hard-coded names of administrative shares into some of the
    >> file paths. Or how I had to grant that same account SA privileges
    >> to the SQL Servers, because it was "too confusing" to have to
    >> owner-qualify some table names...

    >
    >
    > My biggest headache day in day out is crappy programmers.


    On behalf of crappy programmers everywhere, I apologize.

    --
    Fris "HAHAHAHAHAHAH" bee®, MCNGP #13

    The MCNGP Team - We're here to help!
    http://www.mcngp.tk

    Certaholics
    http://groups.yahoo.com/group/certaholics
    =?Windows-1252?Q?Frisbee=AE?=, Jun 24, 2004
    #12
  13. "Jtyc" <jtyc_mcngp@spamblockerbitch!@yahoo.com> wrote in
    news:#:

    > My biggest headache day in day out is crappy programmers.


    If your programmers were crap, the Dot Commies were a sewage plant.

    I had the added frisson of Nosferatu's vampiric sleeping habits (i.e., he
    mostly didn't) combined with the time offset for Cheapistan. They got six
    whole hours to complain that it was "system traubles." Five minutes' of my
    scalding regard during the daily production meetings cleared up that it
    was, in fact, almost always software traubles, but the damage to my
    reputation was long since done.


    --
    http://www.vigo-alessi.com/images/products/1362.jpg
    Vigo Breadcrumbs, Jun 24, 2004
    #13

  14. >On behalf of crappy programmers everywhere, I apologize.
    >
    >--
    >Fris "HAHAHAHAHAHAH" bee®, MCNGP #13
    >



    Hey, are you a member of the crappy programmers guild too?
    Keyboard Cowboy, Jun 24, 2004
    #14
  15. Slarty Bartfast

    kpg Guest

    "Keyboard Cowboy" <> wrote in
    message news:20a0e01c45a0d$c2460560$...
    # Name resolution details: file://c:\temp\131943.htm (6/24/2004 12:23:51 PM)
    #

    >On behalf of crappy programmers everywhere, I apologize.
    >
    >--
    >Fris "HAHAHAHAHAHAH" bee®, MCNGP #13
    >



    >Hey, are you a member of the crappy programmers guild too?


    the best
    kpg, Jun 24, 2004
    #15
  16. Slarty Bartfast

    Spyke Guest

    "kpg" <> wrote in
    news::

    >
    > "Keyboard Cowboy" <> wrote
    > in message news:20a0e01c45a0d$c2460560$...
    > # Name resolution details: file://c:\temp\131943.htm (6/24/2004
    > 12:23:51 PM) #
    >
    >>On behalf of crappy programmers everywhere, I apologize.
    >>
    >>--
    >>Fris "HAHAHAHAHAHAH" bee®, MCNGP #13
    >>

    >
    >
    >>Hey, are you a member of the crappy programmers guild too?

    >
    > the best
    >
    >
    >


    with updates

    --

    Cheers,
    Spyke
    Spyke, Jun 24, 2004
    #16
  17. Slarty Bartfast

    TechGeekPro Guest

    "fygar" <> wrote in message
    news:...
    > On Thu, 24 Jun 2004 08:50:34 +1000, "Slarty Bartfast"
    > <> wrote:
    >
    > >We had two days of the LAN being down this week with the Win32.Korgo.I
    > >virus.
    > >It has similar behaviour to the Sasser that we spent a whole day on
    > >'fixing'. We had Microsoft Auto-updates turned of for some reason -

    MS04-011
    > >patch would have stopped it, but it wasn't on all our machines.
    > >It most likely got in via a laptop that was on the net while outside our
    > >firewall and then brought it in.
    > >We are updating all our laptops to XP and using it's firewall - better

    that
    > >nothing.
    > >
    > >Any suggestions on good laptop policy regarding security - I know that

    might
    > >seem a silly question, but we have been using NT4 and 2000 on our laptops
    > >with good updated virus protection forever, long before I came here, even
    > >though I knew the lack of a software firewall was a risk and brought the
    > >issue up a few times.

    >
    > Run MSBA to find all lagging machines.
    > Patch.
    > Set up SUS.
    > Set up a managed Antivirus.
    > Find a firewall product if not using XP.
    > Keep users out of Administrators group.
    > Keep users out of Administrators group.
    > Keep users out of Administrators group.
    > Keep users out of Administrators group.
    > ***Do not give access to email w/o using VPN. (This forces the
    > occasional connection so the systems will check for updates)
    >
    > Remove batteries and power cords
    >
    > ...butch


    Yeah, but shouldn't you also keep users out of Administrators group?

    --
    I may not be completely certified, but I am completely certifiable.
    TechGeekPro, Jun 24, 2004
    #17
  18. Slarty Bartfast

    fygar Guest

    On Thu, 24 Jun 2004 14:07:14 -0400, "TechGeekPro"
    <%username%@yahoo.com> wrote:

    >"fygar" <> wrote in message
    >> Keep users out of Administrators group.
    >> Keep users out of Administrators group.
    >> Keep users out of Administrators group.
    >> Keep users out of Administrators group.
    >> ***Do not give access to email w/o using VPN. (This forces the
    >> occasional connection so the systems will check for updates)
    >>
    >> Remove batteries and power cords
    >>
    >> ...butch

    >
    >Yeah, but shouldn't you also keep users out of Administrators group?


    I'll add that to the list.

    ....b
    fygar, Jun 24, 2004
    #18
  19. Slarty Bartfast

    Ken Briscoe Guest

    "TechGeekPro" <%username%@yahoo.com> wrote in message
    news:...
    >
    > Yeah, but shouldn't you also keep users out of Administrators group?


    I had to stick users in local admin groups the other day. we have a dumbass
    printer whose software won't allow users to print to a mailbox unless they
    have administrative rights. so, since i'm not the one running the show, i'm
    merely a lackey, i was instructed to add EVERYONE to their local admin
    group. I protested, but only briefly, as I realized that this is job
    security. Doing this will virtually guarantee me a job in a couple months
    when things backfire and a sh!tstorm of spyware, viruses, and nosy users
    ensues. But I guess, for now, everyone's happy because they can all print.
    Whatever. But I can feel it...the big one's coming. I know I'm going to be
    told to give some luser domain admin access, by either giving him one of the
    admin usernames/passwords or by dropping him/her into domain admins. I can
    feel it. I'm going to cringe. I'm going to vomit. I'm going to probably pass
    out. Oh well.

    --

    KB - MCNGP "silent thug" #26

    first initial last name AT hotmail DOT com
    Ken Briscoe, Jun 24, 2004
    #19
  20. Slarty Bartfast

    TechGeekPro Guest

    "fygar" <> wrote in message
    news:...
    > On Thu, 24 Jun 2004 14:07:14 -0400, "TechGeekPro"
    > <%username%@yahoo.com> wrote:
    >
    > >"fygar" <> wrote in message
    > >> Keep users out of Administrators group.
    > >> Keep users out of Administrators group.
    > >> Keep users out of Administrators group.
    > >> Keep users out of Administrators group.
    > >> ***Do not give access to email w/o using VPN. (This forces the
    > >> occasional connection so the systems will check for updates)
    > >>
    > >> Remove batteries and power cords
    > >>
    > >> ...butch

    > >
    > >Yeah, but shouldn't you also keep users out of Administrators group?

    >
    > I'll add that to the list.
    >
    > ...b


    Glad to help. ;-)

    --
    I may not be completely certified, but I am completely certifiable.
    TechGeekPro, Jun 24, 2004
    #20
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Phil B

    Virus, Virus, Virus.....

    Phil B, Sep 22, 2003, in forum: Computer Support
    Replies:
    2
    Views:
    518
    DaveW
    Sep 22, 2003
  2. DS

    Virus in virus?

    DS, Feb 8, 2004, in forum: Computer Support
    Replies:
    3
    Views:
    477
  3. Dangermouse

    virus or not virus

    Dangermouse, Oct 12, 2005, in forum: Computer Support
    Replies:
    5
    Views:
    511
    ellis_jay
    Oct 13, 2005
  4. Peter Maurice Cram

    Norton virus protection shutsdown - virus?

    Peter Maurice Cram, Sep 11, 2004, in forum: Computer Information
    Replies:
    2
    Views:
    603
    WebWalker
    Sep 12, 2004
  5. brenda

    Virus Virus

    brenda, Oct 15, 2007, in forum: Computer Support
    Replies:
    11
    Views:
    846
    Desk Rabbit
    Oct 16, 2007
Loading...

Share This Page