Slashdot Mirror

← Back to Stories (view on slashdot.org)

Windows Users Fear Korgo Virus

Posted by michael on from the run-in-circles-scream-and-shout dept.

An anonymous reader writes "A new virus is on the prowl that can infect your Windows XP/2K system and record every key you hit on your keyboard. The keys are then sent back to the virus creator where he/she can steal your passwords and credit card information. The virus named, Korgo, started showing up in the last week of May but it now has at least six different variants. To protect yourself from this nasty virus, Microsoft is urging all users to download the KB835732 Security Update. As with the Sasser worm, you'll get the Korgo virus without even knowing it. It does not arrive by email, but simply by being connected to a network or to the Internet without having a patched machine or a properly configured firewall."

9 of 533 comments (clear)

  1. Details: by ack154 · · Score: 5, Informative
    According to Symantec, the F variant of this seems to be the worst, or most prominent. Currently a level 3, here's the SARC page for it: Korgo.F. There is a removal tool available as well.

    Main details from top of SARC page:
    W32.Korgo.F is a minor variant of W32.Korgo.E. It is a worm that attempts to propagate by exploiting the Microsoft Windows LSASS Buffer Overrun Vulnerability (BID 10108) on TCP port 445. It also listens on TCP ports 113, 3067, and other random ports.
    Happy cleaning.
    1. Re:Details: by EndlessNameless · · Score: 5, Informative

      It listens on those ports. It only infects through 445. Block incoming on that port (which 99.9% of home users can do without problems), and you're safe. For those who actually need that port for https... well, consider linux. :) Although, MS does have a workaround for it.

      --

      ---
      According to the latest ruleset, this post should be modded as Vorpal Flamebait +5.
    2. Re:Details: by JamesTRexx · · Score: 5, Informative

      https is on 443, so no problem there...

      --
      home
  2. Hmmm.... by Mz6 · · Score: 5, Informative
    For some reason the poster left out the following, critical, piece of information (oh.. and for those that don't RTFA). This virus uses the exact same flaw as the Sasser virus -- LSASS Buffer Overrun Vulnerability. What's weird is that the infections are still climbing meaning that after almost 2 months (patch released on April 13) and a HUGE rash of infections from Sasser, there are some folks that have still refused to apply the Microsoft patch. As much as I hate to say it, IMHO, they almost deserve it...

    For those that have just come out from their rock, here is a removal tool for this latest worm

    And IIRC, shouldn't any good (read: non-XP) firewall automatically be blocking these ports (or atleast 445) right out-of-the-box?

    --
    Hmmm.
    1. Re:Hmmm.... by eln · · Score: 5, Informative

      You can run windows update and get security patches and any other updates available through that medium on a pirated copy without any trouble at all.

      Or, you know, so I've heard.

  3. Advisory by michaelhood · · Score: 5, Informative

    Symantec's Advisory. Listens on TCP ports 113, 2041, and 3067. 113 is identd, 2041 is interbase, 3067 seems invented. Firewall as appropriate.

  4. Re:Details: , Issued: April 13, 2004 by Steve_Jobs_HNIC · · Score: 5, Informative

    Microsoft Security Bulletin MS04-011
    Security Update for Microsoft Windows (835732)

    Issued: April 13, 2004
    Updated: May 4, 2004
    Version: 1.3

  5. Worm vs Virus by DJ-Dodger · · Score: 5, Informative

    If you "just get it" without having to run anything, it's a worm, not a virus. It's not complicated.

  6. Not Exactly... by mexnix · · Score: 5, Informative

    F-Secure Weblog says Korgo doesn'ts install a key logger by default, but that the "cracker team" uses Korgo's backdoor to do so. So, you wont necessarily have the key logger installed if you have any of the Korgo variants. At least, none up to this point...