descripcion de McAfee:
__________________________________________
Virus Name Risk Assessment
W32/Korgo.worm.g Corporate User : Low
Home User : Low
Virus Information
Discovery Date: 06/02/2004
Origin: Unknown
Length: 10752
Type: Virus
SubType: Worm
Minimum DAT: 4365 (06/09/2004)
Updated DAT: 4365 (06/09/2004)
Minimum Engine: 4.2.40
Description Added: 06/02/2004
Description Modified: 06/02/2004 2:48 PM (PT)
Description Menu
Virus Characteristics
Symptoms
Method Of Infection
Removal Instructions
Variants / Aliases
Rate This page
Print This Page
Email This Page
Legend
Virus Characteristics:
The worm is detected as W32/Korgo.worm.gen with DAT 4364.
This self-executing worm spreads by exploiting a Microsoft Windows vulnerability:
MS04-011 vulnerability (CAN-2003-0533)
The worm spreads with a random filename and acts as a remote access server to allow an attacker to control the compromised system.
Top of Page
Symptoms
The worm copies itself to the WINDOWS SYSTEM directory (such as c:\windows\system32) using a random file name, and creates a registry run key to load automatically at system startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run "Disk Defragmenter" = C:\WINDOWS\System32\[random name] .exe
An additional marker key is created:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wireless
The worm injects thread code into Windows explorer process. The thread in explorer.exe listens on TCP ports 113, 3067 and other random ports. It attempts to connect the following IRC servers on TCP port 6667:
gaspode.zanet.org.za
lia.zanet.net
london.uk.eu.undernet.org
washington.dc.us.undernet.org
los-angeles.ca.us.undernet.org
brussels.be.eu.undernet.org
caen.fr.eu.undernet.org
flanders.be.eu.undernet.org
graz.at.eu.undernet.org
moscow-advokat.ru
irc.tsk.ru
gaz-prom.ru
Top of Page
Method Of Infection
This worm exploits vulnerable Microsoft Windows systems. The worm scans random IP addresses, sending SYN packets on TCP port 445 to identify potential victims. Exploit code is then sent to the host to overflow a buffer in LSASS.EXE and execute the virus on the victim system.
__________________________________________
Para eliminarlo, conjuntamente con todos los que entran por la vulnerabilidad del LSASS, utilizar el ELILSA.EXE:
saludos
ms, 3-06-2004