Malicious Software Encyclopedia: Win32/Korgo

Published: September 8, 2005

Win32/Korgo is a family of worms that spread by exploiting vulnerabilities in certain versions of Microsoft Windows that do not have Microsoft security update MS04-011 installed. Some variants of this worm open a backdoor component to gain unauthorized access to other computers.

Severity

What the levels mean

Glossary Terms

Click the term to get the definition from our Security Glossary.

•	Trojan horse
•	virus
•	worm

Threat Overview

Class/type	Worm - Network
Discovered	May 21, 2004
Circulating	Yes
Affected operating systems	Windows 2000 Windows XP Windows Server 2003
Affected software	Not specified
Infection rating	Low
Recovery difficulty	Moderate
Damage rating	Medium
Transmission rating	Low

Top of page

Aliases (Also Known As)

Different antivirus vendors may be using different names to refer to this malicious software. Here are some of the names currently in use by antivirus software vendors participating in the Microsoft Virus Information Alliance (VIA):

CA: Win32.Korgo

McAfee: W32/Korgo.worm

Symantec: W32.Korgo

Trend Micro: WORM_KORGO

Learn more about the Microsoft Virus Information Alliance.

Top of page

Related Security Bulletins

The following Microsoft Security bulletins are related to this issue:

MS04-011 - Security Update for Microsoft Windows (835732)

Top of page

Technical Analysis

Variants of the Win32/Korgo worm spread by exploiting buffer overflow vulnerabilities in the Private Communication Technology (PCT) protocol and the Windows Local Security Authentication Server (LSASS) service process. These vulnerabilities are patched in Microsoft Security Bulletin MS04-011.

Win32/Korgo creates a command shell on the infected computer, which then downloads and runs a copy of the worm. The worm may also open a backdoor to an unpatched computer to gain unauthorized access. The worm may download executable files, such as worm updates, from a specified server.

Top of page

How to Prevent Infection

Take the following steps to help prevent infection on your system:

Enable a firewall on your computer
Get the latest computer updates
Use up-to-date antivirus software

Enable a firewall on your computer

Use a third-party firewall product or turn on the Microsoft Windows XP Internet Connection Firewall.
To turn on the Internet Connection Firewall in Windows XP

Click Start, and click Control Panel.
Click Network and Internet Connections, and click Network Connections. If you do not see Network and Internet Connections, click Switch to Category View.
Highlight a connection that you want to help protect, and click Change settings of this connection.
Click Advanced, and select Protect my computer and network by limiting or preventing access to this computer from the Internet.
Click OK.

Get the latest computer updates

Updates help protect your computer from viruses, worms, and other threats as they are discovered. You can use the Automatic Updates feature in Microsoft Windows XP to automatically download future Microsoft security updates while your computer is on and connected to the Internet.
To turn on Automatic Updates

Click Start, and click Control Panel.
Click Performance and Maintenance. If you do not see Performance and Maintenance , click Switch to Category View.
Click System.
Click Automatic Updates, and select Keep my computer up to date.
Select a setting. Microsoft recommends selecting Automatically download the updates, and install them on the schedule that I specify and setting a regular update time.
If you choose to have Automatic Updates notify you in step 5, you will see a notification balloon when new downloads are available to install. Click the notification balloon to review and install updates.

Use up-to-date antivirus software

Most antivirus software can detect and prevent infection by known malicious software. You should always run antivirus software on your computer that is updated with the latest signature files to automatically help protect you from infection.

Top of page