W32/Korgo-J

Aliases	Worm.Win32.Padobot.gen W32.Korgo.O
Category	Viruses and Spyware
Type	Worm
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


Protection available since	23 June 2004 15:44:57 (GMT)
Detected by	All Sophos products

Free virus scan
Download the Threat Detection Test

Free virus, spyware, and adware scan
Test your existing anti-virus protection
Find threats your anti-virus missed

Action

Summary
Action
More Information

Please follow the instructions for removing worms.

Windows NT/2000/XP/2003

In Windows NT/2000/XP/2003 you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Windows Update = C:\<Windows System32>\<filename.exe>

and delete it if it exists.

Close the registry editor.

More Information

Summary
Action
More Information

W32/Korgo-J is a network worm using the LSASS exploit to propagate. When executed the worm copies itself to the Windows System32 folder using a randomly generated name and creates the following registry entry so that the worm is executed automatically when a user logs on:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Windows Update = C:\<Windows System32>\<filename.exe>

During infection the worm may also set the following registry value:

HKLM\Software\Microsoft\Wireless\
ID = <value>

W32/Korgo-J may query the keys:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Windows Security Manager
Disk Defragmenter
System Restore Service
Bot Loader
SysTray
WinUpdate
Windows Update Service
avserve.exe
avserve2.exeUpdate Service
MS Config v13

W32/Korgo-J scans random IP addresses attempting to exploit them, the results of the scans being transmitted to one of several IRC servers and channels.

W32/Korgo-J includes a backdoor component which can be used to upload and run files on the infected computer.

This worm may also attempt to GET or POST data to the following sites:

ethard.biz hackers.lv cvv.ru www.redline.ru lovingod.host.sk filesearch.ru goldensand.ru fuck.ru padonki.org trojan.ru asechka.ru master-x.com color-bank.ru kavkaz.ru crutop.nu kidos-bank.ru parex-bank.ru adult-empire.com konfiskat.org citi-bank.ru xware.cjb.net mazafaka.ru

Get reports about the latest virus and spyware threats delivered to your computer

In this section

W32/Korgo-J

Summary

Action

More Information