The Web    Google
6/4: Korgo-D Attacks Buffer Overrun

6/4: Korgo-D Attacks Buffer Overrun
June 4, 2004

Worm_Korgo.D is a member of the KORGO family of worms, which propagates by exploiting a buffer overrun vulnerability in the Windows LSASS (Local Security Authority Subsystem Service). This vulnerability is discussed in detail in the following pages:

Microsoft Security Bulletin MS04-011

It generates IP addresses and opens random ports to attack.

It also has backdoor functionalities. It opens and listens to ports 113 and 3067 for incoming connections of other infected machines. It also opens random TCP ports to receive commands from a remote user and transmit data. It also attempts to connect to certain IRC channels to enable remote access on the affected machine.

After performing its exploit, this malware may prevent Windows from shutting down, but note that this may not be true on all infected systems.

It displays a warning message as indication that the vulnerability on the LSASS component has been exploited.

IMPORTANT NOTE: This UPX-compressed worm runs on Windows 95, 98, ME, NT, 2000, and XP. However, it is unable to perform the exploit on Windows 95, 98, and ME systems since these platforms are not affected by the LSASS vulnerability.

Technical details are at Trend Micro page.

  • Linux Security: Tips from the Experts
  • 7/20: Mydoom.L@mm a Mass-Mailing Worm
  • Alliance Formed to Finger Hackers
  • AT&T on DoS: Early Detection Equals Prevention
  • PGP: Extended Encryption For Compliance
  • Enforcer 3.1 Bars Unsanctioned IM, P2P Access
  • 5/19: Viperik-A Trojan Deletes Files & Info
  • Sun Plays New Security Card with VeriSign
  • 10/11: Noomy-A Worm Exploits Email, IRC
  • 11/4: Rbot-OX Worm Has IRC Functions
  • 12/3: Rbot-QX a Worm and IRC Trojan
  • Security Camera Articles