high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Protection available since | 27 July 2005 10:23:07 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/Korgo-Z is a network worm for the Windows platform.
W32/Korgo-Z spreads to other network computers by exploiting common buffer overflow vulnerabilites, including: LSASS (MS04-011) and RPC-DCOM (MS04-012).
When W32/Korgo-Z copies itself as dkxcj32.dll in Windows system folder.
The file dkxcj32.dll is registered as a COM object and ShellExecute hook, creating registry entries under:
HKCR\CLSID\ (D1589445-4C2D-4827-6486-8C9674D8B206)
HKLM\SOFTWARE\Microsoft\Windows\ CurrentVersion\Explorer\ShellExecuteHooks\ (D1589445-4C2D-4827-6486-8C9674D8B206)
During infection the worm will also use the registry entries:
HKLM\SOFTWARE\Microsoft\DataAccess
Database
<random letters>
HKLM\SOFTWARE\Microsoft\DataAccess
SQL
<random letters>
W32/Korgo-Z scans random IP addresses attempting to exploit them.
The worm may also attempt to GET or POST data to the following sites:
adult-empire.com
bankofny.com
citi-bank.ru
citibank.com
color-bank.ru
crutop.nu
cvv.ru
fethard.biz
filesearch.ru
kaspersky.com
kidos-bank.ru
konfiskat.org
master-x.com
parex-bank.ru
prodexteam.net
roboxchange.com
www.kaspersky.com
www.pandasoftware.com
www.redline.ru
www.riaa.com
www.sophos.com
www.symantec.com
www.trendmicro.com
xware.cjb.net
|
