Descripcion de McAfee:
__________________________________________
Virus Name Risk Assessment
W32/Korgo.worm.i Corporate User : Low
Home User : Low
Virus Information
Discovery Date: 06/07/2004
Origin: Unknown
Length: 10879
Type: Virus
SubType: Worm
Minimum DAT: 4365 (06/09/2004)
Updated DAT: 4365 (06/09/2004)
Minimum Engine: 4.2.40
Description Added: 06/08/2004
Description Modified: 06/08/2004 7:48 AM (PT)
Description Menu
Virus Characteristics
Symptoms
Method Of Infection
Removal Instructions
Variants / Aliases
Rate This page
Print This Page
Email This Page
Legend
Virus Characteristics:
This self-executing worm spreads by exploiting a Microsoft Windows vulnerability:
MS04-011 vulnerability (CAN-2003-0533)
The worm spreads with a random filename and acts as a remote access server to allow an attacker to control the compromised system.
Top of Page
Symptoms
The worm copies itself to the WINDOWS SYSTEM directory (such as c:\windows\system32) using a random file name, and creates a registry run key to load automatically at system startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run "Windows Update" = C:\WINDOWS\System32\[random name] .exe
An additional marker key is created:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wireless
The worm injects thread code into Windows explorer process. The thread in explorer.exe listens on TCP ports 113, 3067 and other random ports. It attempts to connect the following IRC servers on TCP port 6667:
gaspode.zanet.org.za
lia.zanet.net
london.uk.eu.undernet.org
washington.dc.us.undernet.org
los-angeles.ca.us.undernet.org
brussels.be.eu.undernet.org
caen.fr.eu.undernet.org
flanders.be.eu.undernet.org
graz.at.eu.undernet.org
moscow-advokat.ru
irc.tsk.ru
gaz-prom.ru
Top of Page
Method Of Infection
This worm exploits vulnerable Microsoft Windows systems. The worm scans random IP addresses, sending SYN packets on TCP port 445 to identify potential victims. Exploit code is then sent to the host to overflow a buffer in LSASS.EXE and execute the virus on the victim system.
__________________________________________
Es muy importante tener todos los parches de microsoft aplicados, especialmente el MS04-011 pero como siempre recomendamos actualizar a través del windowsupdate.
Para ello, simplemente acceder a la casilla Herramientas del Internet Explorer y seleccionar Windowsupdate, en donde indicar que busque las actualizaciones pendientes y las instale.
Si no puede ya arrancar el ordenador por presentar el ataque de este virus por intento de intrusion, y provocar el Error de windows que lanza el Shutdown en 60 segundios, entonces desconectar el cable de Internet, ejecutar el ELILSA:EXE y bloquear el intento de intrusion, aceptando la ventana que lo propone, y tras ello conectar el cable y ya poder actualizar los parches en la forma indicada.
Para acceder al ELILSA:
saludos
ms, 8-06-2004