Du brauchst Hilfe? Frage die Community oder wende dich an einen Experten.
Zu Avira Answers
Alias:W32.Korgo.M
Type:Worm 
Size:11,391 Bytes 
Origin:unknown 
Date:06-22-2004 
Damage:Uses Microsoft Windows LSASS Security Hole 
VDF Version:6.25.00.108 
Danger:Low 
Distribution:Medium 

General DescriptionAffected OSs:
Windows 95, Windows 98, Windows ME, Windows NT, Windows 2000, Windows XP

DistributionWorm/Korgo.M opens TCP port 113 and another random port, between 2000 and 8191, for spreading itself.
The worm uses Microsoft Windows LSASS security hole over TCP port 445, to contact a random IP address and to spread itself.

Technical DetailsWhen activated, Worm/Korgo.M deletes Ftpupd.exe file. It uses some Mutexes, to be sure that there is only one active version of itself.
uterm13.2i
u8
u9
u10
u11
u12
u13
u13i
u13.2i
u14

The worm looks for certain registry entries. If these exist, it will delete them:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"Windows Security Manager"="%variable%"
"Disk Defragmenter"="%variable%"
"System Restore Service"="%variable%"
"Bot Loader"="%variable%"
"SysTray"="%variable%"
"WinUpdate"="%variable%"
"Windows Update Service"="%variable%"
"avserve.exe"="%variable%"
"avserve2.exeUpdate Service"="%variable%"
"MS Config v13"="%variable%"

The worm checks if the following registry entry is available:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"System Update"="%variable%"

If not, the worm makes the following entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wireless
"Client"="1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wireless
"ID"="%variable%"

Afterwards, the worm copies itself in Windows system folder with a random name
(*.exe) and makes the registry entry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"System Update"="%variable%.exe"

If there is a System Update registry entry and it corresponds to the .exe file
entry, then the worm will delete the following entry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wireless
"Client"=

The worm tries to start a Windows thread function or a background process named Shell_TrayWnd. If succeeded, the worm is activated by the process.

Worm/Korgo.M tries to contact one of the following IRC servers for receiving information:
broadway.ny.us.dal.net
brussels.be.eu.undernet.org
caen.fr.eu.undernet.org
ced.dal.net
coins.dal.net
diemen.nl.eu.undernet.org
flanders.be.eu.undernet.org
gaspode.zanet.org.za
graz.at.eu.undernet.org
lia.zanet.net
london.uk.eu.undernet.org
los-angeles.ca.us.undernet.org
lulea.se.eu.undernet.org
moscow-advokat.ru
ozbytes.dal.net
qis.md.us.dal.net
vancouver.dal.net
viking.dal.net
washington.dc.us.undernet.org
Die Beschreibung wurde erstellt von Crony Walker am Dienstag, 15. Juni 2004

zurück . . . .