W32/Korgo-I

Aliases	Worm.Win32.Padobot.gen
Category	Viruses and Spyware
Type	Worm
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


Protection available since	9 June 2004 14:30:37 (GMT)
Detected by	All Sophos products

Free virus scan
Download the Threat Detection Test

Free virus, spyware, and adware scan
Test your existing anti-virus protection
Find threats your anti-virus missed

Action

Summary
Action
More Information

Please follow the instructions for removing worms.

Download and install the Microsoft security patch mentioned above.

Windows NT/2000/XP/2003

In Windows NT/2000/XP/2003 you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
WinUpdate = <worm_name>

and delete it if it exists.

Close the registry editor.

More Information

Summary
Action
More Information

W32/Korgo-I is a member of the W32/Korgo network worms family that
propagates by using the LSASS exploit.

For details see MS04-011 Microsoft Security Bulletin.

When executed W32/Korgo-I copies itself to the Windows system folder with
either a random filename or a filename extracted from the registry and
sets the following registry entries so as to auto-start on user logon:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
WinUpdate = <worm_name>

W32/Korgo-I marks the infection by setting the registry entry
HKLM\SOFTWARE\Microsoft\Wireless\

W32/Korgo-I scans random IP addresses attempting to exploit them, the results
of the scans being transmitted to a specific irc servers from the next list:

'rc.kar.net'
'gaspode.zanet.org.za'
'lia.zanet.net'
'irc.tsk.ru'
'london.uk.eu.undernet.org'
'washington.dc.us.undernet.org'
'los-angeles.ca.us.undernet.org'
'brussels.be.eu.undernet.org'
'caen.fr.eu.undernet.org'
'flanders.be.eu.undernet.org'
'graz.at.eu.undernet.org'
'moscow-advokat.ru'

The worm also listens on ports tcp/3067, tcp/113 and random ports in the range tcp/2000 - tcp/8191. These are used for payload/backdoor, IDENT for IRC and the server process which transmits a copy of the worm to anyone that connects.

Also W32/Korgo-I may prevent a system shutdown started by using the InitiateSystemShutdown.

Get reports about the latest virus and spyware threats delivered to your computer

In this section

W32/Korgo-I

Summary

Action

More Information