Some security vendors Monday issued alerts for the N, O and P variants of the Korgo worm, which spread by exploiting the LSASS vulnerability in Windows.
According to Trend Micro, Worm_Korgo.N propagates by exploiting a buffer overrun vulnerability in the Windows LSASS (Local Security Authority Subsystem Service). This vulnerability is discussed in detail in the following pages:
MS04-011_MICROSOFT_WINDOWS
Microsoft Security Bulletin MS04-011
It generates IP addresses and opens random ports to attack. After performing its exploit, this malware may prevent Windows from shutting down, but note that this may not be true on all infected systems.
It displays a warning message as indication that the vulnerability on the LSASS component has been exploited.
IMPORTANT NOTE: This UPX-compressed worm runs on Windows 95, 98, ME, NT, 2000, and XP. However, it is unable to perform the exploit on Windows 95, 98, and ME systems since these platforms are not affected by the LSASS vulnerability.
Technical details are at Trend Micro page.
Panda Software issued a low-level alert for Korgo.O, which also spreads via the Internet by exploiting the LSASS vulnerability in remote computers. This vulnerability is critical for Windows XP/2000 operating systems that are not properly updated.
Korgo.O connects to several web sites, to which it sends information on the country in which the affected computer is. It also attempts to download files from these web sites. Korgo.O only spreads automatically to Windows XP/2000 computers. However, computers with other Windows operating systems can also be a source of transmission when a malicious user runs the file containing the worm in any of these computers.
If you have a Windows XP/2000 computer, it is highly recommendable to download the security patch for the LSASS vulnerability from the Microsoft web site.
Technical details are at this Panda Software page.
And Panda Software also issued a low-level alert for Korgo.P, a worm that spreads via the Internet by exploiting the LSASS vulnerability in remote computers. This vulnerability is critical for Windows XP/2000 operating systems that are not properly updated.
Korgo.P connects to several web sites, to which it sends information on the country in which the affected computer is. It also attempts to download files from these web sites. Korgo.P only spreads automatically to Windows XP/2000 computers. However, computers with other Windows operating systems can also be a source of transmission when a malicious user runs the file containing the worm in any of these computers.
If you have a Windows XP/2000 computer, it is highly recommendable to download the security patch for the LSASS vulnerability from the Microsoft web site.
Technical details are at this Panda Software page.
6/21: Korgo-N, O, P Exploit LSASS Flaw
