|
Description:
This worm is a member of the KORGO family of worms, which propagates by exploiting a buffer overrun vulnerability in the Windows LSASS (Local Security Authority Subsystem Service). This vulnerability is discussed in detail in the following pages:
It generates IP addresses and opens random ports to attack.
It also has backdoor functionalities. It opens and listens to ports 113 and 3067 for incoming connections of other infected machines. Then, it opens random TCP ports to receive commands from a remote user and transmit data. It then attempts to connect to certain IRC channels to enable remote access on the affected machine.
After performing its exploit, this malware may prevent Windows from shutting down, but note that this may not be true on all infected systems.
It displays a warning message as indication that the vulnerability on the LSASS component has been exploited.
IMPORTANT NOTE: This UPX-compressed worm runs on Windows 95, 98, ME, NT, 2000, and XP. However, it is unable to perform the exploit on Windows 95, 98, and ME systems since these platforms are not affected by the LSASS vulnerability.
For additional information about this threat, see:
Solution
Technical Details
Description created: Jun. 17, 2004 11:42:19 PM GMT -0800
Search a new malware
Tell us how we did. Take our quick survey.
|
Save & Share
