Worm_Korgo.D is a member of the KORGO family of worms, which propagates by exploiting a buffer overrun vulnerability in the Windows LSASS (Local Security Authority Subsystem Service). This vulnerability is discussed in detail in the following pages:
MS04-011_MICROSOFT_WINDOWS
Microsoft Security Bulletin MS04-011
It generates IP addresses and opens random ports to attack.
It also has backdoor functionalities. It opens and listens to ports 113 and 3067 for incoming connections of other infected machines. It also opens random TCP ports to receive commands from a remote user and transmit data. It also attempts to connect to certain IRC channels to enable remote access on the affected machine.
After performing its exploit, this malware may prevent Windows from shutting down, but note that this may not be true on all infected systems.
It displays a warning message as indication that the vulnerability on the LSASS component has been exploited.
IMPORTANT NOTE: This UPX-compressed worm runs on Windows 95, 98, ME, NT, 2000, and XP. However, it is unable to perform the exploit on Windows 95, 98, and ME systems since these platforms are not affected by the LSASS vulnerability.
Technical details are at Trend Micro page.
6/4: Korgo-D Attacks Buffer Overrun
