Precisa de ajuda? Peça à comunidade ou contrate um perito.
Acesse a Avira Answers
Size:9,534 Bytes 
Damage:Uses Microsoft Windows LSASS Security Hole 
VDF Version: 

General DescriptionAffected Operating Systems:
Windows 95, Windows 98, Windows ME, Windows NT, Windows 2000, Windows XP

DistributionWorm/Korgo.Q opens a random TCP port 113 between 256 and 8191, for spreading itself on other computers.
It tries to update itself using one of the following HTTP servers:

The worm uses Microsoft Windows LSASS security hole over TCP port 445, to contact a random IP address and to spread itself.
If the worm finds a computer, on which this security hole is not patched, it will download itself on it.

Technical DetailsWhen activated, Worm/Korgo.Q deletes Ftpupd.exe file. It uses uterm19
Mutex, to be sure that there is only one active version of itself.

The worm looks for certain registry entries. If these exist, it will delete them:
"Windows Security Manager"="%variable%"
"Disk Defragmenter"="%variable%"
"System Restore Service"="%variable%"
"Bot Loader"="%variable%"
"Windows Update Service"="%variable%"
"avserve2.exeUpdate Service"="%variable%"
"MS Config v13"="%variable%"

Afterwards, the worm copies itself in Windows system folder with a random name and makes the registry entry:
ID=%random Value%

The following entry enables the worm to automatically start:
"Cryptographic Service"="%SystemDIR%\%variable%.exe"

The worm tries to insert itself into the active task EXPLORER.EXE, so that it
will no longer be visible in Tasklist. If it can not be done, the worm starts as active process and can be seen in Tasklist.

Descrição enviada por Crony Walker em terça-feira, 15 de junho de 2004

Voltar . . . .