high
Summary
Summary
Action- More Information
| Included in our products from | August 2004 (3.84) |
|---|---|
| Protection available since | 8 June 2004 15:38:14 (GMT) |
| Last updated | 16 June 2004 11:47:35 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing W32/Korgo-H.
More Information
W32/Korgo-H is a member of the W32/Korgo family of network worms that propagates using the LSASS exploit (TCP port 445).
For details see the MS04-011 Microsoft Security Bulletin.
When executed W32/Korgo-H copies itself to the Windows system folder with a random filename and sets the following registry entry with the path to the copy to make sure the worm runs at on restart:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update
W32/Korgo-H marks the infection by setting the registry entry
HKLM\SOFTWARE\Microsoft\Wireless\.
W32/Korgo-H scans random IP addresses, attempting to exploit them. The results of the scans are transmitted to a specific IRC server from the following list:
rc.kar.net
gaspode.zanet.org.za
lia.zanet.net
irc.tsk.ru
london.uk.eu.undernet.org
washington.dc.us.undernet.org
los-angeles.ca.us.undernet.org
brussels.be.eu.undernet.org
caen.fr.eu.undernet.org
flanders.be.eu.undernet.org
graz.at.eu.undernet.org
moscow-advokat.ru
W32/Korgo-H attempts to delete ftpupd.exe and any registry entries that have the following values:
avserve2.exeUpdate Service
avserve.exe
Windows Update Service
WinUpdate
SysTray
Bot Loader
System Restore Service
Disk Defragmenter
Windows Security Manager
W32/Korgo-H may also prevent a system shutdown started by using InitiateSystemShutdown.
|
