Si descripcion según McAfee es la siguiente:
__________________________________________
Virus Name Risk Assessment
W32/Korgo.worm.p Corporate User : Low
Home User : Low
Virus Information
Discovery Date: 06/18/2004
Origin: Unknown
Length: 9,343 Bytes
Type: Virus
SubType: Worm
Minimum DAT: 4368 (06/23/2004)
Updated DAT: 4368 (06/23/2004)
Minimum Engine: 4.2.40
Description Added: 06/17/2004
Description Modified: 06/18/2004 3:47 AM (PT)
Description Menu
Virus Characteristics
Symptoms
Method Of Infection
Removal Instructions
Variants / Aliases
Rate This page
Print This Page
Email This Page
Legend
Virus Characteristics:
This self-executing worm spreads by exploiting a Microsoft Windows vulnerability:
MS04-011 vulnerability (CAN-2003-0533)
The worm spreads with a random filename and acts as a remote access server to allow an attacker to control the compromised system.
Top of Page
Symptoms
The worm copies itself to the WINDOWS SYSTEM directory (such as c:\windows\system32) using a random file name, and creates a registry run key to load automatically at system startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run "Windows Update" = C:\WINDOWS\System32\[random name] .exe
An additional marker key is created:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wireless
The worm is stealthy by nature and hides itself as a thread in Windows explorer.exe. Therefore it's process cannot be viewed in the Process list of Task Manager.
The worm attempts to make a connection to a list of URLs on port 80. The connections are random and intermittent. Some of the targetted URLs are:
citi-bank.ru
kidos-bank.ru
color-bank.ru
asechka.ru
goldensand.ru
adult-empire.com
Top of Page
Method Of Infection
This worm exploits vulnerable Microsoft Windows systems. The worm scans IP addresses in the class A or class B subnets as well as random IP addresses, sending SYN packets on TCP port 445 to identify potential victims. Exploit code is then sent to the host to overflow a buffer in LSASS.EXE and excute the virus on the victim system
Aliases
Name
W32//Korgo.L (Symantec)
W32/Korgo.N.worm (Panda)
Worm.Win32.Padobot.g (Kaspersky)
__________________________________________
Para acceder al ELILSA:
saludos
ms, 18-06-2004