McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• W32.Korgo.E (Symantec)

• Win32.Lsabot (DrWeb)

Characteristics

This self-executing worm spreads by exploiting a Microsoft Windows vulnerability:

• MS04-011 vulnerability (CAN-2003-0533)http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

The worm spreads with a random filename and acts as a remote access server to allow an attacker to control the compromised system.

Symptoms

The worm copies itself to the WINDOWS SYSTEM directory (such as c:\windows\system32) using a random file name, and creates a registry run key to load automatically at system startup:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
  Run "Update Service" = C:\WINDOWS\System32\[random name] .exe

An additional marker key is created:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wireless

The worm listens on TCP ports 113, 3067 and other random ports.  It attempts to connect the following IRC servers on TCP port 6667:

• gaspode.zanet.org.za
• lia.zanet.net
• london.uk.eu.undernet.org
• washington.dc.us.undernet.org
• los-angeles.ca.us.undernet.org
• brussels.be.eu.undernet.org
• caen.fr.eu.undernet.org
• flanders.be.eu.undernet.org
• graz.at.eu.undernet.org
• moscow-advokat.ru
• irc.tsk.ru
• gaz-prom.ru
• moscow-advokat.ru

Method of Infection

This worm exploits vulnerable Microsoft Windows systems.  The worm scans random IP addresses, sending SYN packets on TCP port 445 to identify potential victims.  Exploit code is then sent to the host to overflow a buffer in LSASS.EXE and execute the virus on the victim system.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• W32.Korgo.E (Symantec)

• Win32.Lsabot (DrWeb)

Characteristics

Characteristics -

This self-executing worm spreads by exploiting a Microsoft Windows vulnerability:

• MS04-011 vulnerability (CAN-2003-0533)http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

The worm spreads with a random filename and acts as a remote access server to allow an attacker to control the compromised system.

Symptoms

Symptoms -

The worm copies itself to the WINDOWS SYSTEM directory (such as c:\windows\system32) using a random file name, and creates a registry run key to load automatically at system startup:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
  Run "Update Service" = C:\WINDOWS\System32\[random name] .exe

An additional marker key is created:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wireless

The worm listens on TCP ports 113, 3067 and other random ports.  It attempts to connect the following IRC servers on TCP port 6667:

• gaspode.zanet.org.za
• lia.zanet.net
• london.uk.eu.undernet.org
• washington.dc.us.undernet.org
• los-angeles.ca.us.undernet.org
• brussels.be.eu.undernet.org
• caen.fr.eu.undernet.org
• flanders.be.eu.undernet.org
• graz.at.eu.undernet.org
• moscow-advokat.ru
• irc.tsk.ru
• gaz-prom.ru
• moscow-advokat.ru

Method of Infection

Method of Infection -

This worm exploits vulnerable Microsoft Windows systems.  The worm scans random IP addresses, sending SYN packets on TCP port 445 to identify potential victims.  Exploit code is then sent to the host to overflow a buffer in LSASS.EXE and execute the virus on the victim system.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A