Anti-virus firms have raised the peril index of the Korgo worm up a notch following the spread of several new variants this week.
Korgo (aka Padobot) exploits the Microsoft Windows Local Security Authority Subsystem Service (LSASS) vulnerability to spread across vulnerable machines. The same flaw was infamously exploited by the Sasser worm and by a number of less prolific worms since. Kordo has some nasty tricks up its sleeve but the worm is far less prolific than Sasser.
The worm was written by the Russian Hangup Team virus group, according to Finnish AV firm F-Secure. All seven variants of the worm are very similar.
Korgo-A (and its variants) are written in C++ and is approximately 10KB in size, packed using UPX. When launched, the worm copies itself to the Windows system directory under a random name, and registers this file in the system registry auto-run key. It then begins to randomly scan for further machines to attack on TCP port 445. It also listens on TCP ports 113, 3067, and other random ports allowing hackers backdoor access to infected (zombie) machines. Compromised machines also attempt to connect to several IRC servers to receive commands and transmit data to their controllers.
Once infected, a victim machine will display an error message that the LSASS service has failed, commonly forcing a reboot. Standard defensive precautions apply against all variants of Korgo: patch Windows boxes, update anti-virus signature files and use firewalls. Most Windows users should already have these precautions in place post Sasser. Let's be careful out there. ®
Windows worms tax ISPs
Phatbot arrest throws open trade in zombie PCs
Sasser copycats get busy
German police arrest Sasser worm suspect
Sasser ups cost of Windows - Gartner
Sasser creates European pandemonium
Sasser worm creates havoc