Panda Virus Alert - Korgo Variants

Korgo Worms: Is this a Dangerous Experiment? Worms creator seems to be carrying out experments with new variants aimed at catching users off guard while aiming to cause a serious epidemic GLENDALE, CA – JUNE 09, 2004 - When the Korgo.A worm appeared it was thought to be just another replica of the infamous Sasser. However, given that 12 variants have appeared in quick succession would seem to point to more threatening motives that could represent a serious concern to the integrity of IT systems. The Korgo worms, just like Sasser, exploit the LSASS vulnerability to spread rapidly across the Internet. But unlike Sasser, these worms try to lay low when they infect computers and therefore users won’t see tell-tale signs such as continuous restarts in infected computers. They can also, depending on the variant, delete certain files, open communication ports and try to connect to various IRC servers. Another important characteristic is that some of the Korgo worms use mutex (mutual exclusion objects). These objects can control access to system resources and prevent more than one process from using the same resource at the same time. One of the mutex created by these malicious codes is called “utermXX” (XX is a number -apparently sequential). So while Korgo.C uses the mutex “utwrm7”, Korgo.J uses “uterm12”. This would imply that there are at least 12 versions of the worm (in this case, a version is a virus that has substantially different characteristics to its predecessors). In addition, there are other lesser variants, differing only fractionally from the original version. This is the case for example with Korgo.K and Korgo.L, created by introducing minor modifications to the original code These malicious codes also alter the Windows Registry, with each new variant removing the changes made by its predecessors and making new changes. This means that the order in which they have been created can be traced by the changes that they make. For example, Korgo.D deletes the entries created by Korgo.F, implying that Korgo.D is actually a more recent creation. “We have not been able to determine to goal of this worms creator,” said Luis Corrons, head of PandaLabs. “The amount of work being put into the development of the Korgo variants would suggest that this is more than just someone having a bit of fun. This is also far form the the typical virus strategy of simply getting as many variants in circulation as quickly as possible to infect as many computers as possible, as they have taken the trouble to make their creations delete their own predecessors.” It appears that the creators are trying to fine tune the malicious code in order to create a highly damaging example that will take users by surprise. It would, nevertheless, be a ‘silent’ epidemic, as one of the main features of the Korgo worms is that their actions can go unnoticed by users. One seemingly contradictory detail is that despite such technical ingenuity, Korgo uses the LSASS vulnerability to propagate and will therefore cease to spread as users install the patch to fix this flaw in Windows. This may not be a problem for its creators because, as Corrons explains: “The creator of the worm could exploit other vulnerabilities as they are discovered. This is why it is advisable to keep an eye on the new variants which will no doubt appear. The sooner the creator is caught the better.” To prevent incidents involving the Korgo worms, Panda Software advises users to take precautions and update their antivirus software. The company has already made the updates to its products available to users to ensure their solutions can detect and eliminate these malicious code. To keep Korgo and its variants at bay, it is essential to apply the patch released by Microsoft to fix the LSASS vulnerability which can be downloaded at: http://ww.microsoft.com/technet/security/bulletin/MS04-011.mspx More information on this worm and others is available in Panda Software’s Virus and Intrusions Encyclopedia Users can also detect and disinfect this and other malicious code using the free, online antivirus, Panda ActiveScan, which is also available on the company’s website at: http://www.pandasoftware.com./ About PandaLabs On receiving a possibly infected file, Panda Software's technical staff gets right to work. The file is analyzed and depending on the type, the action taken may include: disassembly, macro scanning, code analysis etc. If the file does in fact contain a new virus, the disinfection and detection routines are prepared and quickly distributed to users. For more infomation: Alan Wallace [email protected]