My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Worm.Korgo.C

MEDIUM
MEDIUM
10240 bytes
(Win32/Korgo.C.worm)

Symptoms

- Presence of the next files in %SYSTEM% folder:

a newly created executable file ????????.exe (10,240 bytes, see below)

- Presence of the next registry keys or entries:

[HKEY_LOCAL_MACHINE \Software\Microsoft\Windows\CurrentVersion\Run\"SysTray"="%SYSTEM%\????????.exe"]

???????? is a string of maximum 8 characters, and ? may be any letter (eg: etxovima.exe , afpsqg.exe)

and the exe file which the registry entry points to has 10,240 bytes.


where %WINDOWS% points to Windows folder (or WinNT on Windows NT based systems)
%SYSTEM% points to "System" folder on Windows 9x systems and "System32" folder on WinNT systems.

Removal instructions:

- automatic removal: let BitDefender delete/disinfect files found infected.

Analyzed By

Mihai Neagu BitDefender Virus Researcher

Technical Description:

The worm exploits the Microsoft LSASS Windows vulnerability for spreading.
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

Once run, the worm will do the following:

1. Attempts to delete FTPUPD.EXE from current location

2. Creates the mutex names: r10, u6, u7, uterm7

3. Checks if the [HKLM \SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"SysTray"] entry exists

If the key exists:

Attempts to delete the registry entry: [HKLM\Software\Microsoft\Wireless\"Client"]

If the key doesn't exist, it attempts to create it:

[HKLM\Software\Microsoft\Wireless\"Client"="1"]

4. Creates a randomly named copy of the worm in %SYSTEM% folder, as ????????.exe where ? may be any letter.

5. Creates the registry entry

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\"SysTray"="%SYSTEM%\????????.exe"]

in order to run at startup.

6. Executes the copy of the worm and terminates the current process.

7. Starts many threads, and enters an infinite loop, preventing the system from shutting down.

8. Opens ports: 113, 3067 and a random port between 2000 and 10191 but not multpile of 256, allowing remote connection and for sending the worm, scans random IP addresses in order to infect unpatched systems.
Also opens port 6667, as it attempts to connect to a list of IRC servers where it listens for commands

9. Attempts to delete the following registry keys:
- HKLM\Software\Microsoft\Windows\CurrentVersion\Run\"avserve2.exe"
- HKLM\Software\Microsoft\Windows\CurrentVersion\Run\"avserve.exe"
- HKLM\Software\Microsoft\Windows\CurrentVersion\Run\"Windows Security Manager"
- HKLM\Software\Microsoft\Windows\CurrentVersion\Run\"WinUpdate"