W32/Korgo-Fam

Please follow the instructions for removing worms.

Download and install the Microsoft patch mentioned above.

Windows NT/2000/XP/2003

In Windows NT/2000/XP/2003 you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Windows Update = <Windows system>\<random name>.exe

and delete it if it exists.

Close the registry editor.

W32/Korgo-Fam is a member of a family of network worms which use the
LSASS exploit (MS04-011) to propagate.

When run the worms copy themselves to the Windows system folder using a
randomly generated name and creates the following registry entry so that the
worm starts when a user logs on:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Windows Update = <Windows system>\<random name>.exe

During infection the worm will also use the registry value
HKLM\Software\Microsoft\Wireless\ID = <random letters>

The worms may delete the file FTPUPD.EXE, if it exists. The worm may also
attempt to terminate processes such as SysTray, WinUpdate and avserve.exe
and may delete the corresponding entries in the registry, if they exist at the
following location:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Members of the W32/Korgo-Fam family scan random IP addresses attempting
to exploit them, the results of the scans being transmitted to one of several IRC
servers and channels to propagate.