McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• W32//Korgo.L (Symantec)

• W32/Korgo.N.worm (Panda)

• Worm.Win32.Padobot.g (Kaspersky)

Characteristics

This self-executing worm spreads by exploiting a Microsoft Windows vulnerability:

• MS04-011 vulnerability (CAN-2003-0533)http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

The worm spreads with a random filename and acts as a remote access server to allow an attacker to control the compromised system.

Symptoms

The worm copies itself to the WINDOWS SYSTEM directory (such as c:\windows\system32) using a random file name, and creates a registry run key to load automatically at system startup:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
  Run "Windows Update" = C:\WINDOWS\System32\[random name] .exe

An additional marker key is created:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wireless

The worm is stealthy by nature and hides itself as a thread in Windows explorer.exe. Therefore it's process cannot be viewed in the Process list of Task Manager.

The worm attempts to make a connection to a list of URLs on port 80. The connections are random and intermittent. Some of the targetted URLs are:

• citi-bank.ru
• kidos-bank.ru
• color-bank.ru
• asechka.ru
• goldensand.ru
• adult-empire.com
• www.redline.ru

Method of Infection

This worm exploits vulnerable Microsoft Windows systems.  The worm scans IP addresses in the class A or class B subnets as well as random IP addresses, sending SYN packets on TCP port 445 to identify potential victims.  Exploit code is then sent to the host to overflow a buffer in LSASS.EXE and execute the virus on the victim system.

Removal

All Users:
Use specified engine and DAT files for detection.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the current engine and the specified DATs (or higher). Older engines may not be able to remove all registry keys created by this threat.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• W32//Korgo.L (Symantec)

• W32/Korgo.N.worm (Panda)

• Worm.Win32.Padobot.g (Kaspersky)

Characteristics

Characteristics -

This self-executing worm spreads by exploiting a Microsoft Windows vulnerability:

• MS04-011 vulnerability (CAN-2003-0533)http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

The worm spreads with a random filename and acts as a remote access server to allow an attacker to control the compromised system.

Symptoms

Symptoms -

The worm copies itself to the WINDOWS SYSTEM directory (such as c:\windows\system32) using a random file name, and creates a registry run key to load automatically at system startup:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
  Run "Windows Update" = C:\WINDOWS\System32\[random name] .exe

An additional marker key is created:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wireless

The worm is stealthy by nature and hides itself as a thread in Windows explorer.exe. Therefore it's process cannot be viewed in the Process list of Task Manager.

The worm attempts to make a connection to a list of URLs on port 80. The connections are random and intermittent. Some of the targetted URLs are:

• citi-bank.ru
• kidos-bank.ru
• color-bank.ru
• asechka.ru
• goldensand.ru
• adult-empire.com
• www.redline.ru

Method of Infection

Method of Infection -

This worm exploits vulnerable Microsoft Windows systems.  The worm scans IP addresses in the class A or class B subnets as well as random IP addresses, sending SYN packets on TCP port 445 to identify potential victims.  Exploit code is then sent to the host to overflow a buffer in LSASS.EXE and execute the virus on the victim system.

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the current engine and the specified DATs (or higher). Older engines may not be able to remove all registry keys created by this threat.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A