W32.Korgo.F is one of the more spread variant worms hassling users on the Internet.
This question was answered on June 4, 2004. Much of the information contained herein may have changed since posting.
The threat level for W32.Korgo.F (A.K.A Kaspersky), found on June 1st, has already been upgraded to a Category 3 on the SARC site This new threat has backdoor functionality that allows unauthorized access to networks The worm attempts to propagate by exploiting the Microsoft Windows LSASS Buffer Overrun Vulnerability on TCP port 445 It also listens on TCP ports 113, 3067, 6667 and other random ports The primary symptoms for infected machines include the inability to shutdown or reboot the system and a performance decrease Microsoft Windows 2000 & XP are the only operating systems affected by this wild worm The security hole, known as the LSASS vulnerability, is the same vulnerability the Sasser worm attacked Sophos experts have advised computer users that there is no need to panic about the family of worms known as Korgo, because if you updated to protect against Sasser then you have already sealed up the vulnerability <strong>FOR THE TECHNICALLY INCLINED: If you have a system that is already infected by this worm, then download the removal tool at: </strong>http://securityresponse.symantec.com/avcenter/venc/data/w32.korgo.f.removal.tool.html <strong>For optimal security it is suggested that you update your Microsoft & anti-virus software, You can get more technical information about this outbreak & removal instructions at: </strong> http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx</a> http://www.sarc.com/avcenter/venc/data/w32.korgo.f.html</a> <strong>FOR THOSE NOT TECHNICALLY INCLINED - Contact your nearest Data Doctors location for service:</strong> https://www.datadoctors.com/locations/
About the author
Posted by Michal of Data Doctors on June 4, 2004