The Web    Google
6/4: Korgo-D Attacks Buffer Overrun

6/4: Korgo-D Attacks Buffer Overrun
June 4, 2004

Worm_Korgo.D is a member of the KORGO family of worms, which propagates by exploiting a buffer overrun vulnerability in the Windows LSASS (Local Security Authority Subsystem Service). This vulnerability is discussed in detail in the following pages:

Microsoft Security Bulletin MS04-011

It generates IP addresses and opens random ports to attack.

It also has backdoor functionalities. It opens and listens to ports 113 and 3067 for incoming connections of other infected machines. It also opens random TCP ports to receive commands from a remote user and transmit data. It also attempts to connect to certain IRC channels to enable remote access on the affected machine.

After performing its exploit, this malware may prevent Windows from shutting down, but note that this may not be true on all infected systems.

It displays a warning message as indication that the vulnerability on the LSASS component has been exploited.

IMPORTANT NOTE: This UPX-compressed worm runs on Windows 95, 98, ME, NT, 2000, and XP. However, it is unable to perform the exploit on Windows 95, 98, and ME systems since these platforms are not affected by the LSASS vulnerability.

Technical details are at Trend Micro page.

  • 9/1: Bugbear-I a Mass-Mailing Worm
  • 2/25: Looked-C Worm Downloads File
  • 3/8: Kelvir-D an IM Worm
  • 6/11: W32/Zafi-B Sets Registry Entry
  • Understanding and Preventing DDoS Attacks
  • Intellitactics Upgrades Security Manager Tool
  • 9/15: Forbot-C Spreads to Remote Shares
  • 11/29: QLowZones-2 Modifies IE Settings
  • Wi-Fi Security Review: AirMagnet
  • MIT Warns of Kerberos 5 Flaws
  • 6/4: Korgo-D Attacks Buffer Overrun
  • Buy Security Camera