Slashdot Mirror

← Back to Stories (view on slashdot.org)

Windows Users Fear Korgo Virus

Posted by michael on from the run-in-circles-scream-and-shout dept.

An anonymous reader writes "A new virus is on the prowl that can infect your Windows XP/2K system and record every key you hit on your keyboard. The keys are then sent back to the virus creator where he/she can steal your passwords and credit card information. The virus named, Korgo, started showing up in the last week of May but it now has at least six different variants. To protect yourself from this nasty virus, Microsoft is urging all users to download the KB835732 Security Update. As with the Sasser worm, you'll get the Korgo virus without even knowing it. It does not arrive by email, but simply by being connected to a network or to the Internet without having a patched machine or a properly configured firewall."

15 of 533 comments (clear)

  1. Details: by ack154 · · Score: 5, Informative
    According to Symantec, the F variant of this seems to be the worst, or most prominent. Currently a level 3, here's the SARC page for it: Korgo.F. There is a removal tool available as well.

    Main details from top of SARC page:
    W32.Korgo.F is a minor variant of W32.Korgo.E. It is a worm that attempts to propagate by exploiting the Microsoft Windows LSASS Buffer Overrun Vulnerability (BID 10108) on TCP port 445. It also listens on TCP ports 113, 3067, and other random ports.
    Happy cleaning.
    1. Re:Details: by EndlessNameless · · Score: 5, Informative

      It listens on those ports. It only infects through 445. Block incoming on that port (which 99.9% of home users can do without problems), and you're safe. For those who actually need that port for https... well, consider linux. :) Although, MS does have a workaround for it.

      --

      ---
      According to the latest ruleset, this post should be modded as Vorpal Flamebait +5.
    2. Re:Details: by JamesTRexx · · Score: 5, Informative

      https is on 443, so no problem there...

      --
      home
  2. Hmmm.... by Mz6 · · Score: 5, Informative
    For some reason the poster left out the following, critical, piece of information (oh.. and for those that don't RTFA). This virus uses the exact same flaw as the Sasser virus -- LSASS Buffer Overrun Vulnerability. What's weird is that the infections are still climbing meaning that after almost 2 months (patch released on April 13) and a HUGE rash of infections from Sasser, there are some folks that have still refused to apply the Microsoft patch. As much as I hate to say it, IMHO, they almost deserve it...

    For those that have just come out from their rock, here is a removal tool for this latest worm

    And IIRC, shouldn't any good (read: non-XP) firewall automatically be blocking these ports (or atleast 445) right out-of-the-box?

    --
    Hmmm.
    1. Re:Hmmm.... by eln · · Score: 5, Informative

      You can run windows update and get security patches and any other updates available through that medium on a pirated copy without any trouble at all.

      Or, you know, so I've heard.

    2. Re:Hmmm.... by Ayaress · · Score: 4, Informative

      If you think that's bad, I recently reformatted a relative's Win2k computer because of a trashed partition. I then connected to the internet to download Zonelarm onto it and run windows update, and it was almost immediately infected with W32Blaster. Getting on a year after the patch came out, and most of a year since the virus made such a mess of things, there's still enough people out there with this virus (and hence, without the patch to protect against it) to make it dangerous to unpatched computers.

    3. Re:Hmmm.... by FattMattP · · Score: 4, Informative
      I then connected to the internet to download Zonelarm onto it and run windows update, and it was almost immediately infected with W32Blaster.
      What made you think putting an unsecured machine on a network unprotected would be a good idea, even to get patches? As you saw, it'll get infected in minutes. Maybe you should put Zonealarm on a CD or a USB memory key and move it over that way.
      --
      Prevent email address forgery. Publish SPF records for y
  3. Advisory by michaelhood · · Score: 5, Informative

    Symantec's Advisory. Listens on TCP ports 113, 2041, and 3067. 113 is identd, 2041 is interbase, 3067 seems invented. Firewall as appropriate.

  4. Re:Details: , Issued: April 13, 2004 by Steve_Jobs_HNIC · · Score: 5, Informative

    Microsoft Security Bulletin MS04-011
    Security Update for Microsoft Windows (835732)

    Issued: April 13, 2004
    Updated: May 4, 2004
    Version: 1.3

  5. Worm vs Virus by DJ-Dodger · · Score: 5, Informative

    If you "just get it" without having to run anything, it's a worm, not a virus. It's not complicated.

    1. Re:Worm vs Virus by hovis · · Score: 4, Informative
      It's kinda more complicated than that::

      VIRUS: File infector, Self-Replicating A virus will insert it's own code into another _pre-existing_ file. It also replicates automatically every time it's run.

      WORM: Self replicating
      A worm self-replicates liek a virus, but it does not infect pre-existing files. A worm will create a whole new file that is pure viral code (usually with a spoofed name like iexplorer.exe as opposed to the legit file iexplore.exe)

      TROJAN:
      A trojan is also it's own file of pure viral code, but does not self-replicate (However, they frequently facilitate remote control of the Trojan that can be used to replicate it)

      Symantec has a document on this, the link is... What is the difference between Viruses, Trojans and Worms?

      --
      Confidence is the feeling you have before you understand the situation.
  6. Re:Sent back to creator? by metrazol · · Score: 4, Informative

    ...you're new here, aren't you?

    "Sent back to the creator" means data is dumped into an IRC channel, newsgroup, or possibly some zombied machine. There's little way to track the person behind the bot, so to speak.

    Of course, a little way is all it takes to pinch some angsty German teenager...

    --
    "Life's funny sometimes." "And sometimes it isn't." --Cat's Cradle
  7. Not Exactly... by mexnix · · Score: 5, Informative

    F-Secure Weblog says Korgo doesn'ts install a key logger by default, but that the "cracker team" uses Korgo's backdoor to do so. So, you wont necessarily have the key logger installed if you have any of the Korgo variants. At least, none up to this point...

  8. Re:Details: , Issued: April 13, 2004 by Tenareth · · Score: 4, Informative

    Yes, and the 011 patch also killed about 5% of the machines it was installed on before the May 4 update. Now it only kills about 1%, or about 100 machines in our case. Not to mention the several apps it killed.

    --
    This sig is the express property of someone.
  9. Re:Issued two months ago--why was that not mention by Openstandards.net · · Score: 4, Informative
    Most of those aren't Linux holes. They are application holes. The difference is that most of the applications you run on Windows are not from Microsoft, and therefore are never included in Microsoft security advisories. When was the last time Microsoft put out a fix for an Adobe vulnerability?

    I run RH 9 and FreeBSD 4.9. I looked at the list on the front page, and none of the issues put me at risk.

    There are two reasons a person can be unaffected by the vulnerability if they don't patch. One is they don't have or run the affected software. Gnome users that never use KDE aren't impacted by KDE runtime vulnerabilities. The other is that their network is protected enough to render the vulnerability useless (firewall, local IP security, chroot, NAT, etc.)

    The only vulnerability I've seen announced this year that I've had any concern about was the CVS one. Fortunately, though, I have yet to open up my firewall for outside access to CVS. When I do, I plan to use SSH, in which case the vulnerability wouldn't have impacted me. Thus, so far in 2004 between the two operating systems I have had no true vulnerabilities.

    Sure, you could say the version of MySQL I'm running has the symlink vulnerability. But, if an attacker can't get local non-chroot'd shell access, then what relevance is a symlink vulnerability?

    Contrast it to Korgo and Sasser, which hit Windows ports that are opened by default. I can't tell you how many times I see ports 135 and 445 in my daily logs of packet rejections. Plus, the infecting the processess using those ports gives the attack complete control of the sytem.

    Windows is plauged by REMOTE vulnerabilities to MICROSOFT software. Linux distrubutions mostly have LOCAL vulnerabilities with the independent APPLICATIONS that are packaged with them, not the operating system itself. Most of these vulnerabilities require LOCAL access and most of this software runs on Windows as well (e.g., Apache), so the vulnerability usually applies to both operating systems, but appears on the linux security alerts simply because they are one of the thousands of optional programs being included on the FOSS CDs. You have to download Apache if you have Windows because Microsoft is not going to include it, and Microsoft isn't going to send you a patch for it, or even post an Errata, just because you are running it on Windows.

    I've also administered Windows servers for many years, using Windows 3.1, Workgroups, NT 3.5/4.0, 2000 and XP, and used just about all their software, including Visual Studio, InterDev, IIS, and COM/DCOM. I still run 2000 and XP in addition to RH 9 and FreeBSD. I've developed my opinion from experience securing production servers in both Windows and Linux, as have other people posting on /.

    --

    Open Standards Portal