W32/Korgo-L is a network worm using the LSASS exploit to propagate (for more information please see Microsoft Security Bulletin MS04-011). When
executed the worm copies itself to the Windows system folder using a
randomly generated name and creates the following registry entry so that the
worm starts when a user logs on:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Windows Update = <Windows system folder>\<random name>.exe
During infection the worm will also use the temporary registry value
HKLM\Software\Microsoft\Wireless\
Client = 1
W32/Korgo-L scans random IP addresses attempting to exploit them, the
results of the scans being transmitted to one of several IRC servers and channels.