Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Korgo Worm Threat Grows

Internet security experts say the Korgo worm may be much more dangerous than first expected.

Thought at one point to be merely another replica of the recent Sasser worm, renewed analysis of Korgo shows that the appearance of 12 variants of the worm in rapid succession could imply something of a "dangerous experiment" being conducted by Korgo's author, according to a virus alert from security firm PandaLabs, Glendale, Calif.

Like Sasser, Korgo exploits the Microsoft Windows LSASS Buffer Overrun Vulnerability, which was originally announced on April 13 in Microsoft Security Bulletin MS04-011. LSASS (Local Security Authority Subsystem Service) provides an interface for managing local security, domain authentication and Active Directory processes. Unpatched computers running the Windows 2000 and XP operating systems are thought to be at most risk of infection by Korgo.

However, unlike Sasser, Korgo maintains a much lower profile in infected systems.

"These worms try to lay low when they infect computers and therefore users won't see telltale signs such as continuous restarts in infected computers. They can also, depending on the variant, delete certain files, open communication ports and try to connect to various IRC servers," a statement from PandaLabs explained.

  • 1