TrendLabs Malware Blog
Glossary
TrendWatch
TrendLabs Twitter
WORM_KORGO.L
Overview
Solution
Technical Details

Size of malware: 10,752 Bytes (compressed);
17,920 Bytes (uncompressed)

Initial samples received on: Jun 9, 2004

Variant ofWORM_KORGO.A

Details:

Installation and Autostart

This multi-threaded worm arrives as an .EXE file with a randomly-generated file name.

Upon execution, it tries to delete the file FTPUPD.EXE in the same directory where it is executed. It creates the following mutex to ensure that only one copy of itself is running in the memory:

  • uterm11
  • u8
  • u9
  • u10

It then drops a copy of itself in the Windows system folder using a random file name. It executes its dropped copy and terminates the original malware file that was executed.

This worm creates the following autorun registry entry to ensure its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run
WinUpdate = ""%System%\<random_file name>.EXE


(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 95, 98 and ME, C:\WINNT\System32 on Windows NT and 2000, and C:\Windows\System32 on Windows XP.)

It also adds the following registry entry as an infection marker:

HKEY_LOCAL_MACHINE\Software\Microsoft\Wireless
Client = 1

If the machine is already infected with this worm as indicated by the existence of the autostart entry, then this worm deletes the following registry entry, if it exists:

HKEY_LOCAL_MACHINE\Software\Microsoft\Wireless Server

Propagation and Exploit

To propagate, this worm exploits the Windows LSASS vulnerability, which is a buffer overrun that allows remote code execution and enables an attacker to gain full control of the affected system. This vulnerability is discussed in detail in the following pages:

It generates IP addresses and opens random TCP ports to attack.

It may also execute on Windows 95, 98, and ME systems but is unable to propagate since the LSASS vulnerability does not exist on such systems.

Backdoor Capabilities

This worm opens and listens to ports 113 and 3067 for incoming connections of other infected machines.

It also opens random TCP ports to receive commands and transmit data. It attempts to connect to the following IRC channels to enable remote access on the affected machine:

  • irc.kar.net
  • gaspode.zanet.org.za
  • lia.zanet.net
  • irc.tsk.ru
  • london.uk.eu.undernet.org
  • washington.dc.us.undernet.org
  • los-angeles.ca.us.undernet.org
  • brussels.be.eu.undernet.org
  • caen.fr.eu.undernet.org
  • flanders.be.eu.undernet.org
  • graz.at.eu.undernet.org
  • moscow-advokat.ru
  • moscow-advokat.ru

Other Details

This worm is written in Visual C++ programming language and arrives UX-compressed.
Analysis by: Zarestel Ferrer


For additional information about this threat, see:
Overview
Solution

Search a new malware

Tell us how we did. Take our quick survey.