Korgo Worm Threat Grows

Thought at one point to be merely another replica of the recent Sasser worm, renewed analysis of Korgo shows that the appearance of 12 variants of the worm in rapid succession could imply something of a "dangerous experiment" being conducted by Korgo's author, according to a virus alert from security firm PandaLabs, Glendale, Calif.

Like Sasser, Korgo exploits the Microsoft Windows LSASS Buffer Overrun Vulnerability, which was originally announced on April 13 in Microsoft Security Bulletin MS04-011. LSASS (Local Security Authority Subsystem Service) provides an interface for managing local security, domain authentication and Active Directory processes. Unpatched computers running the Windows 2000 and XP operating systems are thought to be at most risk of infection by Korgo.

However, unlike Sasser, Korgo maintains a much lower profile in infected systems.

"These worms try to lay low when they infect computers and therefore users won't see telltale signs such as continuous restarts in infected computers. They can also, depending on the variant, delete certain files, open communication ports and try to connect to various IRC servers," a statement from PandaLabs explained.

Korgo also employs mutex (mutual exclusion objects), which can control access to system resources and even prevent system resources from being used simultaneously during a compute process.

"We have not been able to determine the goal of this worm's creator," said Luis Corrons, head of PandaLabs, in a statement. "The amount of work being put into the development of the Korgo variants would suggest that this is more than just someone having a bit of fun. This is also far from the typical virus strategy of simply getting as many variants in circulation as quickly as possible to infect as many computers as possible, as they have taken the trouble to make their creations delete their own predecessors." For more information on the worm and fixes, see the PandaLabs Web site.