Alias:W32.Korgo.N
Type:Worm 
Size:9,344 Bytes 
Origin:unknown 
Date:06-23-2004 
Damage:Uses Microsoft Windows LSASS Security Hole 
VDF Version:6.25.00.109 
Danger:Low 
Distribution:Medium 

General DescriptionAffected operating systems:
Windows NT, Windows 2000, Windows XP, Windows Server 2003

DistributionWorm/Korgo.N opens TCP ports 113, 5111 and another random port, between 256 and 8191, for spreading itself.
It tries to update itself using one of the following HTTP servers:
adult-empire.com
asechka.ru
citi-bank.ru
color-bank.ru
crutop.nu
cvv.ru
fethard.biz
filesearch.ru
kavkaz.tv
kidos-bank.ru
konfiskat.org
master-x.com
mazafaka.ru
parex-bank.ru
roboxchange.com
www.redline.ru
xware.cjb.net

The worm uses Microsoft Windows LSASS security hole over TCP port 445, to contact a random IP address and to spread itself.
If the worm finds a computer, on which this security hole is not patched, it will download itself on it.

Technical DetailsWhen activated, Worm/Korgo.N deletes Ftpupd.exe file. It uses uterm18 Mutex, to be sure that there is only one active version of itself.

The worm looks for certain registry entries. If these exist, it will delete them:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
"Windows Security Manager"="%variable%"
"Disk Defragmenter"="%variable%"
"System Restore Service"="%variable%"
"Bot Loader"="%variable%"
"SysTray"="%variable%"
"WinUpdate"="%variable%"
"Windows Update Service"="%variable%"
"avserve.exe"="%variable%"
"avserve2.exeUpdate Service"="%variable%"
"MS Config v13"="%variable%"

Afterwards, the worm copies itself in Windows system folder with a random name
(*.exe) and makes the registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wireless\
"Client"="1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
"Windows Update"="%SystemDIR%\%variable%.exe"

The worm tries to insert itself into the active task EXPLORER.EXE, so that it
will no longer be visible in Tasklist.
Descripción insertada por Crony Walker el martes 15 de junio de 2004

Volver . . . .