Type
: Worm
Category
: Win32
Also known as:
Win32/Korgo.AB.Worm, W32/Korgo.worm.ab (McAfee), W32.Korgo.X (Symantec), Worm.Win32.Padobot.gen (Kaspersky)
Immediate Protection Info
| Signature | Product | Removal Instructions |
|---|
23.65.69
| eTrust Antivirus v7/8* (InoculateIT Engine)
| |
11.x/8440
| eTrust Antivirus v7/8* (Vet Engine)
| |
6.1x/5588
| eTrust EZ Antivirus 6.1x
| |
6.2x/8440
| eTrust EZ Antivirus 6.2x
| |
10.5x/5588
| Vet Anti-Virus 10.5x
| |
10.6x/8440
| Vet Anti-Virus 10.6x
| |
Description
Win32.Korgo.AB is a worm that spreads by exploiting the Microsoft Windows LSASS buffer overflow vulnerability. It also opens a backdoor that allows unauthorized access to an affected machine. The worm is distributed as a 9,359-byte Win32 executable.
Back to top
Method of Infection
When executed, Korgo.AB creates a copy of itself in the %System% directory using a randomly-generated filename that is between 5 and 8 characters in length. For example:
%System%\UCEIWLX.EXE
It then modifies the registry to ensure that this copy is executed at each Windows start:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = %System%\<filename>.exe
It can also make a second copy of itself in the %System% Directory using another random file name of between 3 and 10 characters in length.
The worm creates the mutex "uterm20" to ensure only one copy of the worm is running at any time. It also uses mutexes "u8", "u9" "u10", "u11", "u12", etc for its own purposes.
To hide its presence, the worm inserts its main features as a remote thread into the Windows Explorer process. Subsequent worm activities will appear to originate from Explorer.exe. If the worm fails to infect the Windows Explorer process, it continues to run as a separate process.
Note: '%System%' is a variable location. The worm determines the location of the current System folder by querying the operating system. The default installation location for the System directory for Windows 2000 and NT is C:\Winnt\System32; for 95,98 and ME is C:\Windows\System; and for XP is C:\Windows\System32.
Back to top
Method of Distribution
Via Exploit
The worm generates random IP addresses and attempts to connect to port 445 of the target IP in order to exploit the LSASS buffer overflow vulnerability (MS04-011). The worm cycles through 0 - 255 of the last octet of the generated IP ranges and attempts connection. If the vulnerability exploit is successful, a copy of the worm is downloaded via a random port from the original machine. It creates up to 5 threads to scan through local IP addresses.
As a side effect of infection, the LSASS service may crash.
For more information regarding this vulnerability, please visit our Vulnerabilities Encyclopedia:
Microsoft Windows LSASS buffer overflow vulnerability
The Microsoft security bulletin for this vulnerability is available here:
http://www.microsoft.com/technet/security/Bulletin/MS04-011.mspx
Back to top
Payload
Backdoor Functionality
The worm allows access to the infected machine via a random port number: it listens for limited HTTP requests, and replies with a copy of the worm (used with the LSASS exploit).
Korgo also notifies a remote web server every time a new system is compromised.
Removes Registry Values/Processes
Korgo.AB removes the following registry values from the key "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" and terminates the associated processes (these values are associated with several different other malware):
Windows Update
MS Config v13
avserve2.exe
Update Service
avserve.exe
Windows Update Service
WinUpdate
SysTray
Bot Loader
System Restore Service
Disk Defragmenter
Windows Security Manager
Back to top
For additional information:
Korgo.AB creates the following key in the registry for its own use:
HKLM\Microsoft\Wireless\ID = "<10 -20 random characters >"
It attempts to delete the file 'ftpupd.exe' - the temporary file used when a computer is successfully breached using the LSASS exploit.
Analysis by Paul Taylor
Back to top