9344 (UPX packed and crypted)
(Worm.Win32.Padobot.k, Win32/Korgo.S, Win32.Lsabot)
- Presence of the next files in %SYSTEM% folder:
%random%.exe (9,344 bytes)
- Presence of the next registry key pointing to the above file:
[HKEY_LOCAL_MACHINE \Software\Microsoft\Windows\CurrentVersion\Run\"Windows Update"="%SYSTEM%\%random%.exe"]
%random% is a string composed of 5 to 12 random letters
%random2% is a string composed of 10 to 20 random letters
%WINDOWS% points to Windows folder (or WinNT on Windows NT based systems)
%SYSTEM% points to "System" folder on Windows 9x systems and "System32" folder on WinNT systems.
* open Task Manager by pressing [CTR]+[ALT]+[DEL] or [CTRL]+[SHIFT]+[ESCAPE] for Win2000/XP
* use End Process in Processes tab on [rand].exe
* open Registry Editor typing [WIN]+[R]regedit[ENTER]
* remove the HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update registry key
* delete %system%\[rand].exe
* restart the system
Automatic removal: let BitDefender disinfect infected files
Patrick Vicol BitDefender Virus Researcher
The worm spreads by exploiting the Microsoft Windows LSASS Buffer Overrun vulnerabilty (MS04-011).
This version is a minor update to Win32.Worm.Korgo.P
Once run the virus will do the following:
When run it attempts to remove the file "ftpupd.exe", creates the mutex "uterm18" to avoid a duplicate process running simultaneously and if no error has occured it adjusts its token's privileges.
After that it tries to remove the following entries from the start-up key
Windows Security Manager
System Restore Service
Windows Update Service
MS Config v13
At this time it also tries to kill the processes containing the processes having in their names one of the strings pointed to by the above mentioned names.
Next "HKLM\Software\Microsoft\Wireless" is checked for the presence of "ID" string; if it doesn't exist it is initialized with a string of 13 to 20 random characters.
Then it checks for "Windows Update" string in "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" key and if doesn't exist it creates that string pointing to a random generated file name from 5 to 12 characters [rand].exe and copies the worm to "%system%\[rand].exe". In this case it also sets a new string "Client" in "HKLM\Software\Microsoft\Wireless" with the value "1" and finally executes that copy of the worm and exits the current instance.
When run after it has self-installed or on "normal" start-up the worm tries to inject a thread into the first "Shell_TrayWnd" window class it finds and if it manages so it quits. Otherwise it does the following same things, as the injected thread does, from the main process:
- attempts to open and set the following events: u10x, u11x, u12x, u13x, u14x, u15x, u16x, u17x and u18x
- creates the following mutexes: u8, u9, u10, u11, u12, u13, u13i, u14, u15, u16, u17 and u18
- creates three threads used for spreading and checking for updates
- chosses a random port between 257 and 8191 excluding all multiples of 256 on which it creates a pseudo HTTP server managed by a new thread
- using the HTTP server the successful exploit fetches and executes a copy of the worm
- the delay between two update checks is randomly chosen from 400.2 to 700.2 seconds
- the update thread searches randomly the following sites for updates:
The worm also prevents the system from shutting down by entering a loop that each 5 seconds aborts system shutdown.