W32/Korgo-A is a network worm using the LSASS exploit to propagate. When executed the worm copies itself to the Windows system folder using a randomly generated name and creates the following registry entry so that the worm starts when a user logs on:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
WinUpdate = <Windows system folder>\<random name>.exe
During infection the worm will also use the temporary registry value
HKLM\Software\Microsoft\Wireless\
Server = 1
W32/Korgo-A scans random IP addresses attempting to exploit them, the results of the scans are transmitted to one of several IRC servers and channels.
W32/Korgo-A includes a backdoor component which can be used to upload and run files on the infected computer.
Microsoft have issued a patch for the LSASS vulnerability, which can be downloaded from Microsoft Security Bulletin MS04-011.