Saturday, June 05, 2004

VIRUS: Korgo raises zombie PC army

Korgo raises zombie PC army | The Register

Korgo raises zombie PC army
By John Leyden (john.leyden@theregister.co.uk)
Published Thursday 3rd June 2004 11:05 GMT

Anti-virus firms have raised the peril index of the Korgo worm up a notch following the spread of several new variants this week.

Korgo (http://www.f-secure.com/v-descs/korgo.shtml) (aka Padobot) exploits the Microsoft Windows Local Security Authority Subsystem Service (LSASS) vulnerability (http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx) to spread across vulnerable machines. The same flaw was infamously exploited by the Sasser worm and by a number of less prolific worms (http://www.theregister.co.uk/2004/05/11/sasser_saga_continues) since. Kordo has some nasty tricks up its sleeve but the worm is far less prolific than Sasser.

The worm was written by the Russian Hangup Team virus group, according to Finnish AV firm F-Secure. All seven variants of the worm are very similar.

Korgo-A (and its variants) are written in C++ and is approximately 10KB in size, packed using UPX. When launched, the worm copies itself to the Windows system directory under a random name, and registers this file in the system registry auto-run key. It then begins to randomly scan for further machines to attack on TCP port 445. It also listens on TCP ports 113, 3067, and other random ports allowing hackers backdoor access to infected (zombie) machines. Compromised machines also attempt to connect to several IRC servers to receive commands and transmit data to their controllers.

Once infected, a victim machine will display an error message that the LSASS service has failed, commonly forcing a reboot. Standard defensive precautions apply against all variants of Korgo: patch Windows boxes, update anti-virus signature files and use firewalls. Most Windows users should already have these precautions in place post Sasser. Let's be careful out there. ®


Post a Comment

<< Home

Get Firefox!