W32/Korgo-Fam

Category:	Viruses and Spyware	Protection available since:	25 Sep 2006 00:00:00 (GMT)
Type:	Win32 worm	Last Updated:	25 Sep 2006 00:00:00 (GMT)
Prevalence:

Download our free Virus Removal Tool - Find and remove threats your antivirus missed

W32/Korgo-Fam is a member of a family of network worms which use the
LSASS exploit (MS04-011) to propagate.

When run the worms copy themselves to the Windows system folder using a
randomly generated name and creates the following registry entry so that the
worm starts when a user logs on:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Windows Update = <Windows system>\<random name>.exe

During infection the worm will also use the registry value
HKLM\Software\Microsoft\Wireless\ID = <random letters>

The worms may delete the file FTPUPD.EXE, if it exists. The worm may also
attempt to terminate processes such as SysTray, WinUpdate and avserve.exe
and may delete the corresponding entries in the registry, if they exist at the
following location:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Members of the W32/Korgo-Fam family scan random IP addresses attempting
to exploit them, the results of the scans being transmitted to one of several IRC
servers and channels to propagate.

Try Sophos products for free
Download now

W32/Korgo-Fam

Free Mac Anti-Virus

Popular topics