anti-virus research and guidance

vectorblog  about  contact

 

 

 

 

 

 

 

 


Korgo

Infectionvectors.com

Updated July 2004

 

Infection Vectors:                       LSASS vulnerability in Windows 2000/XP

 

Impact:                         High (installs backdoor and alerts authors to compromise)

 

Description:

 

Update: All variants of Korgo (currently through .W) have all been summarized via this report. Infection mechanism remains constant.

 

Korgo, a worm that took up the torch passed by Sasser, relies on access to TCP 445 on machines that do not have the patch associated with MS04-011 (specifically the LSASS vulnerability) reported in April of 2004.

 

Discovered late in May of 2004, Korgo spread quickly to unguarded machines around the world and was released in multiple variants within a few days time. Each variant attempts to contact the authors via an IRC channel so that they may exploit the backdoors installed by this worm (opens ports TCP 113, 2041, 336y; later versions opened a random port). Korgo spreads by scanning random addresses for TCP 445, successful connections receive the LSASS exploit and code that attempts to force the remote machine to download and execute the virus code.

 

Korgo copies itself to the SYSTEM/SYSTEM32 folder of an infected Windows machine with a random filename. This filename is used with a corresponding Registry entry to ensure the worm starts up with the operating system.

 

Although the mutexes that Korgo creates vary from version to version, the code itself changes little to affect propagation routines. Later variants attempt to update themselves via HTTP and inject themselves into the Explorer process (if either is unsuccessful, the worm continues to operate normally).

 

Blocking Korgo:

 

Block access to TCP 445. Many LANs will not filter this port internally as MS Windows processes use it, meaning that unpatched systems could become infected quickly if the worm is brought into the network (i.e.: laptops).

 

Patch all systems with MS04-011 (KB835732).

 

Mitigating Korgo infections:

 

Most variants (through June 2004) attempted to contact an IRC server; block outbound access to TCP 6667.

Backdoor ports varied, however, no inbound connections should be allowed to nonstandard ports, and no connections should be allowed to clients. This will minimize data loss, use of box as a zombie, etc.

 

 

 

Copyright Ó 2004 infectionvectors.com. All rights reserved.