McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• W32.Korgo.F (Symantec)

• W32/Korgo.worm.gen (Mcafee)

• Win32.Lsabot (DrWeb)

• Worm.Win32.Padobot.e (AVP)

• WORM_KORGO.F (Trend)

Characteristics

  -- Update June 3rd, 2004 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at: http://software.silicon.com/malware/0,3800003100,39121085,00.htm

--

The worm is detected as W32/Korgo.worm.gen with DAT 4364.

This self-executing worm spreads by exploiting a Microsoft Windows vulnerability:

• MS04-011 vulnerability (CAN-2003-0533)http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

The worm spreads with a random filename and acts as a remote access server to allow an attacker to control the compromised system.

Symptoms

The worm copies itself to the WINDOWS SYSTEM directory (such as c:\windows\system32) using a random file name, and creates a registry run key to load automatically at system startup:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
  Run "Disk Defragmenter" = C:\WINDOWS\System32\[random name] .exe

An additional marker key is created:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wireless

The worm injects thread code into Windows explorer process.  The thread in explorer.exe listens on TCP ports 113, 3067 and other random ports.  It attempts to connect the following IRC servers on TCP port 6667:

• gaspode.zanet.org.za
• lia.zanet.net
• london.uk.eu.undernet.org
• washington.dc.us.undernet.org
• los-angeles.ca.us.undernet.org
• brussels.be.eu.undernet.org
• caen.fr.eu.undernet.org
• flanders.be.eu.undernet.org
• graz.at.eu.undernet.org
• moscow-advokat.ru
• irc.tsk.ru
• gaz-prom.ru

Method of Infection

This worm exploits vulnerable Microsoft Windows systems.  The worm scans random IP addresses, sending SYN packets on TCP port 445 to identify potential victims.  Exploit code is then sent to the host to overflow a buffer in LSASS.EXE and execute the virus on the victim system.

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• W32.Korgo.F (Symantec)

• W32/Korgo.worm.gen (Mcafee)

• Win32.Lsabot (DrWeb)

• Worm.Win32.Padobot.e (AVP)

• WORM_KORGO.F (Trend)

Characteristics

Characteristics -

  -- Update June 3rd, 2004 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at: http://software.silicon.com/malware/0,3800003100,39121085,00.htm

--

The worm is detected as W32/Korgo.worm.gen with DAT 4364.

This self-executing worm spreads by exploiting a Microsoft Windows vulnerability:

• MS04-011 vulnerability (CAN-2003-0533)http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

The worm spreads with a random filename and acts as a remote access server to allow an attacker to control the compromised system.

Symptoms

Symptoms -

The worm copies itself to the WINDOWS SYSTEM directory (such as c:\windows\system32) using a random file name, and creates a registry run key to load automatically at system startup:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
  Run "Disk Defragmenter" = C:\WINDOWS\System32\[random name] .exe

An additional marker key is created:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wireless

The worm injects thread code into Windows explorer process.  The thread in explorer.exe listens on TCP ports 113, 3067 and other random ports.  It attempts to connect the following IRC servers on TCP port 6667:

• gaspode.zanet.org.za
• lia.zanet.net
• london.uk.eu.undernet.org
• washington.dc.us.undernet.org
• los-angeles.ca.us.undernet.org
• brussels.be.eu.undernet.org
• caen.fr.eu.undernet.org
• flanders.be.eu.undernet.org
• graz.at.eu.undernet.org
• moscow-advokat.ru
• irc.tsk.ru
• gaz-prom.ru

Method of Infection

Method of Infection -

This worm exploits vulnerable Microsoft Windows systems.  The worm scans random IP addresses, sending SYN packets on TCP port 445 to identify potential victims.  Exploit code is then sent to the host to overflow a buffer in LSASS.EXE and execute the virus on the victim system.

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A