Besoin d’aide ? Fais appel à la communauté ou embauche un spécialiste.
Aller à Avira Answers
Alias:W32.Korgo.Q
Type:Worm 
Size:9,534 Bytes 
Origin:unknown 
Date:06-26-2004 
Damage:Uses Microsoft Windows LSASS Security Hole 
VDF Version:6.26.00.07 
Danger:Low 
Distribution:Medium 

General DescriptionAffected Operating Systems:
Windows 95, Windows 98, Windows ME, Windows NT, Windows 2000, Windows XP

DistributionWorm/Korgo.Q opens a random TCP port 113 between 256 and 8191, for spreading itself on other computers.
It tries to update itself using one of the following HTTP servers:
adult-empire.com
asechka.ru
citi-bank.ru
color-bank.ru
crutop.nu
cvv.ru
fethard.biz
filesearch.ru
kavkaz.tv
kidos-bank.ru
konfiskat.org
master-x.com
mazafaka.ru
parex-bank.ru
roboxchange.com
www.redline.ru
xware.cjb.net

The worm uses Microsoft Windows LSASS security hole over TCP port 445, to contact a random IP address and to spread itself.
If the worm finds a computer, on which this security hole is not patched, it will download itself on it.

Technical DetailsWhen activated, Worm/Korgo.Q deletes Ftpupd.exe file. It uses uterm19
Mutex, to be sure that there is only one active version of itself.

The worm looks for certain registry entries. If these exist, it will delete them:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
"Windows Security Manager"="%variable%"
"Disk Defragmenter"="%variable%"
"System Restore Service"="%variable%"
"Bot Loader"="%variable%"
"SysTray"="%variable%"
"WinUpdate"="%variable%"
"Windows Update Service"="%variable%"
"avserve.exe"="%variable%"
"avserve2.exeUpdate Service"="%variable%"
"MS Config v13"="%variable%"

Afterwards, the worm copies itself in Windows system folder with a random name and makes the registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wireless\
"Client"="1"
ID=%random Value%

The following entry enables the worm to automatically start:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
"Cryptographic Service"="%SystemDIR%\%variable%.exe"

The worm tries to insert itself into the active task EXPLORER.EXE, so that it
will no longer be visible in Tasklist. If it can not be done, the worm starts as active process and can be seen in Tasklist.

Description insérée par Crony Walker le mardi 15 juin 2004

Retour . . . .
https:// Cet écran est crypté pour votre sécurité.