Need help? Ask the community or hire an expert.
Go to Avira Answers
Alias:W32.Korgo.A, Worm.Win32.Padobot.b, Exploit-Lsass.gen
Type:Worm 
Size:34,880 Bytes 
Origin:unknown 
Date:05-22-2004 
Damage:Uses "LSASS Windows" security hole 
VDF Version:6.25.00.70 
Danger:Medium 
Distribution:Medium 

DistributionWorm/Padobot.A listens on TCP ports 113, 3067 and 2041. If it can connect to another system over one of these ports, it sends itself there. Worm/Padobot.A spreads using LSASS security hole, as Worm/Sasser did.

Technical DetailsWhen activated, Padobot.A deletes the file go.exe from the folder it was run on. The worm makes "r10", "u2" and "uterm5" mutexes, to verify if one of its tasks is active on the system.

The worm checks if there is the following registry entry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run\
"WinUpdate"="%"

If it does not exist, the worm makes the registry entry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wireless\
"Server"="1"

If there is the file "WinUpdate", but not in the same folder as the worm, then it copies itself in:

%SystemDIR%\%random name%.exe

and makes the following registry entry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run
"WinUpdate"="%System%\%random file name%.exe"

It tries to contact the following IRC servers on TCP Port 6667:
- moscow-advokat.ru
- graz.at.eu.undernet.org
- flanders.be.eu.undernet.org
- caen.fr.eu.undernet.org
- brussels.be.eu.undernet.org
- los-angeles.ca.us.undernet.org
- washington.dc.us.undernet.org
- london.uk.eu.undernet.org
- lia.zanet.net
- gaspode.zanet.org.za
- irc.kar.net

The worm starts an attack over Port 445 using the LSASS Windows security hole. If it succeeds, the contacted computer tries to connect to the host PC and downloads the worm. Then it generates an endless loop, which hides that the computer has been overtaken.
Description inserted by Crony Walker on Tuesday, June 15, 2004

Back . . . .