HOME > INCIDENT NOTES


   INCIDENT NOTES

CERT-In Incident Note CIIN-2004-07

W32.Korgo.F worm

Original Issue Date: June 11, 2004

Type : Worm

Aliases: Worm.Win32.Padobot.e, W32/Korgo.worm.g

Severity: High

Systems Affected: Windows 2000, Windows XP

Systems Not Affected: DOS, Linux, Macintosh, Novell Netware, OS/2, UNIX, Windows 3.x, Windows 95, Windows 98, Windows Me, Windows NT

Overview

This worm is a multithreaded malware and its variants are spreading widely. This worm attempts to exploit the recently published Microsoft LSASS vulnerability described in CERT-In Advisory CIAD-2004-10 . The worm arrives in the form of an "exe file" with random file names.

Impact

Opens TCP ports 113, 3067 and other random ports, listens on these ports and when it receives a certain message, it will send a copy of itself to the remote computer.

Tries to connect to IRC Server on TCP port 6667 and receive commands from certain sites.

Description

This worm takes the advantage of buffer overrun vulnerability in LSASS. Unlike many recent worms, this virus does not spread via email. The worm works by randomly scanning LSASS vulnerable machines and then it instructs vulnerable systems to download and execute the viral code. No user intervention is required for infection or propagation of the virus.

When executed, the worm:

  • ensures that only one instance of the malware remains in the memory by creating the following mutex:
    • u6
    • u7
    • u8
    • uterm8
  • creates the following auto run registry entry to ensure its automatic execution at every system startup

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\Run System Restore Service = "%System%\<Random file name>"
  • deletes file Ftpupd.exe from the folder where the worm was executed. And drops the randomly named file in the windows system folder. When its copy has been dropped in the Windows system folder, it executes it and terminates its own process.
  • Deletes the following values from the registry key.

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Windows\CurrentVersion\Run
  •   "System Service Manager"
  •   "System Restore Service"
  •   "Bot Loader"
  •   "Windows Update Service"
  •   "WinUpdate"
  •   "Windows Security Manager"
  •   "avserve.exe"
  •   "avserve2.exe"

  • Searches for the value "Disk Defragmenter" in the Registry Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CurrentVersion\Run

  • If Value does not exist , the worm adds the value "Client=1" to the registry Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wireless
  • If value exists, but file path is different then the worm
    • Copes itself to the system folder<%System%\ (random filename).exe"
    • Adds the value "Disk Defragmenter"="%System%\ <random filename>.exe" to the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
      CurrentVersion\Run
    • Launches <random filename>.exe and ends current process.
  • If the "Disk Defragmenter" value exists and the value matches the path of the worm, it will delete the value: "Client" from the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wireless
  • Tries to inject the process into explorer.exe as a thread. If successful it will run within the explorer.exe process and the worm will not be visible in the windows task manager. If unsuccessful it will run as its own process.
  • Creates additional threads and do the following
  • Opens TCP ports 113, 3067 and other random ports. The worm will listen on these ports and when it receives a certain message, it will send a copy of itself to the remote computer.
  • Attemps to exploit Windows LSASS vulnerability on TCP port 445 and if successful the computer connects back to the infected computer on one of the opened TCP Ports.
  • Tries to connect to the following IRC Servers on TCP port 6667 and receive commands

    gaspode.zanet.org.za lia.zanet.net
    irc.tsk.ru
    london.uk.eu.undernet.org
    washington.dc.us.undernet.org
    los-angeles.ca.us.undernet.org
    brussels.be.eu.undernet.org
    caen.fr.eu.undernet.org
    flanders.be.eu.undernet.org
    graz.at.eu.undernet.org
    moscow-advocat.ru
    gaz-prom.ru

Note: This UPX-compressed worm runs on Windows 95, 98, ME, NT, 2000, and XP. However, it is unable to perform the exploit on Windows 95, 98, and ME systems since these platforms are not affected by the LSASS vulnerability.

Solution

Disable System Restore in Win 2000 /XP as the systems may back up the malware and restore them in case of a system damage by virus. Windows XP and 2000 systems should be patched against LSASS vulnerability as mentioned in CERT-In advisory CIAD-2004-10 . Symantec has released removal tool for this worm.

References

Symantec :
http://securityresponse.symantec.com/avcenter/venc
/data/w32.korgo.f.html#technicaldetails

Removal Tool: http://www.sarc.com/avcenter/venc/data/
w32.korgo.removal.tool.html

F-Secure :
http://www.f-secure.com/v-descs/korgo_f.shtml

Trendmicro:
http://www.trendmicro.com/vinfo/virusencyclo/
default5.asp?VName=WORM_KORGO.F

Secunia:
http://secunia.com/virus_information/9767/korgo.f/

Disclaimer
The information provided here-in is on "as is" basis, without warranty of any kind.

Contact Information

Phone: +91-11-24368572

Postal address:
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003