W32/Korgo-R is a network worm using the LSASS exploit to propagate (MS04-011). When executed the worm copies itself to the Windows system folder using a randomly generate name and creates the following registry entry so that the worm starts when a user logs on:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Windows Update = <Windows system folder>\<random name>.exe
During infection the worm will also use the temporary registry value
HKLM\Software\Microsoft\Wireless\Client = 1ID = <random string>
W32/Korgo-R scans random IP addresses attempting to exploit them, and
sending the results to a remote PHP script. Infected machines run a
basic web server on ports TCP/2000-8191 and will serve the worms content
upon connection.
W32/Korgo-R includes a backdoor component which can be used to upload and
run files on the infected computer.