Aliases: Worm.Win32.Padobot.b, W32/Korgo.worm.a, W32/Korgo-A, WORM_KORGO.A , Win32.Korgo.A
Variants: W32.Korgo.B, W32.Korgo.C

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: North America
Removal: Easy
Platform: W32
Discovered: 22 May 2004
Damage: Medium

Characteristics: The worm W32.Korgo.A attempts to exploit the Microsoft LSASS Windows vulnerability. This Vulnerability is described in Microsoft Security Bulletin MS04-011. It also listens to TCP ports 113, 2041, and 3067. It allows unauthorized access to the infected computer.

More details about W32.Korgo.A

When the worm W32.Korgo.A runs, it attempts to delete the file go.exe from the directory from which the worm was executed. It creates the mutexes r10, u2 and uterm5. This ensures that only one instance of the worm runs at any time. The worm copies itself to the \%System% directory as a randomly-named EXE file. The worm then listens to TCP ports 113, 2041 and 3067 for instructions from a distant attacker. It attempts to connect to certain IRC servers over port 6667/tcp. The worm scans random IP addresses on port 445/tcp in an attempt to exploit the LSASS buffer overflow vulnerability. It copies itself to the remote system and executes when a connection is made. It may start an infinite loop to prevent the computer from restarting after the LSASS service fails.

This worm modifies the system registry to ensure that it runs every Windows start up. It allows a remote attacker to access the infected system. When the worm executes, the system may display a message indicating that the LSASS service has failed. The system may reboot after the message has displayed. When the worm attempts to open a port, firewalls may display a message. The worm also starts an infinite loop to prevent the computer from shutting down.