Korgo Computer Virus : MAC-NET Secures IT

MAC-NET

How to

Do more with Firefox^NEW

What is a computer virus?

Alert: Computer Virus Outbreaks

AVG Alternative Update URL

AVG Anti-Virus 7 FE

AVG Anti-Virus 7.5

AVG Email Server Edition

AVG File Server Edition

How to - Avoid Getting Infected

How to - Disabling System Restore

How to - Put Windows in Safe Mode

MAC OS X Anti-Virus

Removal of Trojan

Removing File Locked by OS

Stop the virus Ping-Pong

The real thing !

Viruses: Email-borne

Viruses: On-line Scanners

Home » Virus Protection » Alert: Computer Virus Outbreaks »

Korgo network worm

Another worm using the LSASS vulnerability known as "Korgo", this one tries to connect all infected hosts to IRC (Undernet.Org) channels for remote control. The threat posed by phishing which auto-infects unpatched Windows systems with a keylogging trojan, steals online banking information, and secretly transmits data back to the fraudsters.

The Korgo network worm keeps spreading actively, and it's aggressively stealing user information from infected machines. It does this via a keylogger which specifically collects user logins for online banks (the ones which do not use one-time passwords). It also logs everything the user types to any web form - this will collect lots of credit card numbers, passwords etc.

The emergence of phishing worms presents yet another reason for Windows users to be vigilant about patching their systems. Korgo's victims, whose machines remained unsecured more than 45 days after a fix became available, ignored persistent calls to install patches. Only the security laggards were victimized this time. But as with any malware proof-of-concept, the attack agent is apt to arrive more quickly the next time an opportunity arises.

Korgo Removal:

Link over to Symantec Site to download the easy virus cleaner.

Following is the procedure for manual removal.

Search computer registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\
Microsoft\Windows\CurrentVersion\Run
Deletes the values: "WinUpdate", "Windows Security Manager", "avserve.exe", "avserve2.exe"
Search computer registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\
Microsoft\Wireless
If the "SysTray" value exists and the value matches the path of the worm, it will delete the value: "Client"

How Korgo works:

When launched, the worm copies itself to the Windows system directory under a random name, and registers this file in the system registry auto-run key. It then begins to randomly scan for further machines to attack on TCP port 445. It also listens on TCP ports 113, 3067, and other random ports allowing hackers backdoor access to infected (zombie) machines. Compromised machines also attempt to connect to several IRC servers to receive commands and transmit data to their controllers.

Once infected, a victim machine will display an error message that the LSASS service has failed, commonly forcing a reboot. Standard defensive precautions apply against all variants of Korgo: patch Windows boxes, update anti-virus signature files and use firewalls. Most Windows users should already have these precautions in place post Sasser.

Korgo Prevention:

A buffer overrun vulnerability exists in LSASS that could allow remote code execution on an affected system. An attacker who successfully exploited this vulnerability could take complete control of the affected system. As such you need to apply patches to your computer.

http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

Korgo is also known as (aka): Padobot

Post your comment

Mail this page