Find a Partner
This window is encrypted for your security.
Need help? Ask the community or hire an expert.
Go to Avira Answers
W32.Korgo.A, Worm.Win32.Padobot.b, Exploit-Lsass.gen
Uses "LSASS Windows" security hole
Worm/Padobot.A listens on TCP ports 113, 3067 and 2041. If it can connect to another system over one of these ports, it sends itself there. Worm/Padobot.A spreads using LSASS security hole, as Worm/Sasser did.
When activated, Padobot.A deletes the file go.exe from the folder it was run on. The worm makes "r10", "u2" and "uterm5" mutexes, to verify if one of its tasks is active on the system.
The worm checks if there is the following registry entry:
If it does not exist, the worm makes the registry entry:
If there is the file "WinUpdate", but not in the same folder as the worm, then it copies itself in:
and makes the following registry entry:
"WinUpdate"="%System%\%random file name%.exe"
It tries to contact the following IRC servers on TCP Port 6667:
The worm starts an attack over Port 445 using the LSASS Windows security hole. If it succeeds, the contacted computer tries to connect to the host PC and downloads the worm. Then it generates an endless loop, which hides that the computer has been overtaken.
Description inserted by Crony Walker on Tuesday, June 15, 2004