W32/Korgo-I is a member of the W32/Korgo network worms family that
propagates by using the LSASS exploit.
For details see MS04-011 Microsoft Security Bulletin.
When executed W32/Korgo-I copies itself to the Windows system folder with
either a random filename or a filename extracted from the registry and
sets the following registry entries so as to auto-start on user logon:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
WinUpdate = <worm_name>
W32/Korgo-I marks the infection by setting the registry entry
HKLM\SOFTWARE\Microsoft\Wireless\
W32/Korgo-I scans random IP addresses attempting to exploit them, the results
of the scans being transmitted to a specific irc servers from the next list:
'rc.kar.net'
'gaspode.zanet.org.za'
'lia.zanet.net'
'irc.tsk.ru'
'london.uk.eu.undernet.org'
'washington.dc.us.undernet.org'
'los-angeles.ca.us.undernet.org'
'brussels.be.eu.undernet.org'
'caen.fr.eu.undernet.org'
'flanders.be.eu.undernet.org'
'graz.at.eu.undernet.org'
'moscow-advokat.ru'
The worm also listens on ports tcp/3067, tcp/113 and random ports in the range tcp/2000 - tcp/8191. These are used for payload/backdoor, IDENT for IRC and the server process which transmits a copy of the worm to anyone that connects.
Also W32/Korgo-I may prevent a system shutdown started by using the InitiateSystemShutdown.