W32/Korgo-P is a network worm that uses the LSASS exploit to propagate
(see Microsoft Security Bulletin MS04-011 for more details).
W32/Korgo-P copies itself to the Windows system folder with a randomly-
generated filename between 5 and 8 characters long and creates the following
registry entry so as to run itself on system startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update
W32/Korgo-P attempts to send itself to random IP addresses by HTTP with
the filename X.EXE.
W32/Korgo-P sends encrypted reports to a number of remote websites and
may be instructed to download and run further files from them to a random
6-letter filename in the Windows system folder.
W32/Korgo-P attempts to delete the file FTPUPD.EXE. The worm also tries
to terminate certain process including SysTray, WinUpdate and Disk
Defragmenter, also deleting the corresponding entries in the registry at the
following location in order to prevent them from running on system startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
W32/Korgo-P sets the following registry entry temporarily during infection:
HKLM\Software\Microsoft\Wireless\Client = 1
W32/Korgo-P sets the following registry entry to a random string:
HKLM\SOFTWARE\Microsoft\Wireless\ID