The Register®

Original URL: http://www.theregister.co.uk/2004/06/03/korgo_worm/

Korgo raises zombie PC army

Russian Hangup Team fingered in release

By John Leyden

Posted in Malware, 3rd June 2004 11:05 GMT

Free whitepaper – PowerEdge M610 technical guidebook

Anti-virus firms have raised the peril index of the Korgo worm up a notch following the spread of several new variants this week.

Korgo (http://www.f-secure.com/v-descs/korgo.shtml) (aka Padobot) exploits the Microsoft Windows Local Security Authority Subsystem Service (LSASS) vulnerability (http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx) to spread across vulnerable machines. The same flaw was infamously exploited by the Sasser worm and by a number of less prolific worms (http://www.theregister.co.uk/2004/05/11/sasser_saga_continues) since. Kordo has some nasty tricks up its sleeve but the worm is far less prolific than Sasser.

The worm was written by the Russian Hangup Team virus group, according to Finnish AV firm F-Secure. All seven variants of the worm are very similar.

Korgo-A (and its variants) are written in C++ and is approximately 10KB in size, packed using UPX. When launched, the worm copies itself to the Windows system directory under a random name, and registers this file in the system registry auto-run key. It then begins to randomly scan for further machines to attack on TCP port 445. It also listens on TCP ports 113, 3067, and other random ports allowing hackers backdoor access to infected (zombie) machines. Compromised machines also attempt to connect to several IRC servers to receive commands and transmit data to their controllers.

Once infected, a victim machine will display an error message that the LSASS service has failed, commonly forcing a reboot. Standard defensive precautions apply against all variants of Korgo: patch Windows boxes, update anti-virus signature files and use firewalls. Most Windows users should already have these precautions in place post Sasser. Let's be careful out there. ®

Related stories

Windows worms tax ISPs (http://www.theregister.co.uk/2004/05/27/sandvine/)
Phatbot arrest throws open trade in zombie PCs (http://www.theregister.co.uk/2004/05/12/phatbot_zombie_trade/)
Sasser copycats get busy (http://www.theregister.co.uk/2004/05/11/sasser_saga_continues/)
German police arrest Sasser worm suspect (http://www.theregister.co.uk/2004/05/10/sasser_worm_arrest/)
Sasser ups cost of Windows - Gartner (http://www.theregister.co.uk/2004/05/07/windows_worm_tax/)
Sasser creates European pandemonium (http://www.theregister.co.uk/2004/05/05/sasser_continental_europe/)
Sasser worm creates havoc (http://www.theregister.co.uk/2004/05/04/sasser_worm/)