Win32/Korgo [Threat Name] go to Threat
Win32/Korgo.A [Threat Variant Name]
| Category | worm |
| Size | 10240 B |
| Aliases | Net-Worm.Win32.Padobot.b (Kaspersky) |
| W32.Korgo.A (Symantec) | |
| W32/Korgo.worm.a (McAfee) |
Short description
The worm connects to the IRC network. It can be controlled remotely. It connects to remote machines to port TCP 445 in attempt to exploit the LSASS vulnerability.
Installation
When executed, the worm copies itself into the %system% folder using a random filename.
The filename has the following extension:
- .exe
The following file is deleted:
- go.exe
In order to be executed on every system start, the worm sets the following Registry entry:
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
- "WinUpdate" = "%system%\%variable%.exe
A string with variable content is used instead of %variable% .
The following Registry entry is set:
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Wireless]
- "Server" = 1
Spreading
The worm opens some TCP ports:
- 113
- 2041
- 3067
The worm generates random IP addresses.
It connects to remote machines to port TCP 445 in attempt to exploit the LSASS vulnerability.
If successful, the remote computer attempts to connect to the infected computer and download a copy of the worm .
This vulnerability is described in Microsoft Security Bulletin MS04-011 .
Other information
The worm connects to the IRC network.
It can be controlled remotely.
The worm connects to the following addresses:
- moscow-advokat.ru (TCP:6667)
- graz.at.eu.undernet.org (TCP:6667)
- flanders.be.eu.undernet.org (TCP:6667)
- caen.fr.eu.undernet.org (TCP:6667)
- brussels.be.eu.undernet.org (TCP:6667)
- los-angeles.ca.us.undernet.org (TCP:6667)
- washington.dc.us.undernet.org (TCP:6667)
- london.uk.eu.undernet.org (TCP:6667)
- lia.zanet.net (TCP:6667)
- gaspode.zanet.org.za (TCP:6667)
- irc.kar.net (TCP:6667)
The worm prevents the computer from shutting down.