Slashdot Mirror

← Back to Stories (view on slashdot.org)

Windows Users Fear Korgo Virus

Posted by michael on from the run-in-circles-scream-and-shout dept.

An anonymous reader writes "A new virus is on the prowl that can infect your Windows XP/2K system and record every key you hit on your keyboard. The keys are then sent back to the virus creator where he/she can steal your passwords and credit card information. The virus named, Korgo, started showing up in the last week of May but it now has at least six different variants. To protect yourself from this nasty virus, Microsoft is urging all users to download the KB835732 Security Update. As with the Sasser worm, you'll get the Korgo virus without even knowing it. It does not arrive by email, but simply by being connected to a network or to the Internet without having a patched machine or a properly configured firewall."

25 of 533 comments (clear)

  1. Details: by ack154 · · Score: 5, Informative
    According to Symantec, the F variant of this seems to be the worst, or most prominent. Currently a level 3, here's the SARC page for it: Korgo.F. There is a removal tool available as well.

    Main details from top of SARC page:
    W32.Korgo.F is a minor variant of W32.Korgo.E. It is a worm that attempts to propagate by exploiting the Microsoft Windows LSASS Buffer Overrun Vulnerability (BID 10108) on TCP port 445. It also listens on TCP ports 113, 3067, and other random ports.
    Happy cleaning.
    1. Re:Details: by RetroGeek · · Score: 5, Funny

      yes it would work if you can predict those other random ports

      Just use a random number generator.

      Oh wait.....

      --

      - - - - - - - - - - -
      I am a programmer. I am paid to produce syntax not grammar. Deal with it.
    2. Re:Details: by It'sYerMam · · Score: 5, Insightful
      445: microsoft-ds
      113: auth
      3067: unknown

      The first two, at least, are service ports (Why else would something exploit them) So the question is really, "why are they open by default?"

      I expect this will be fixed in XP SP2.

      The next time I boot into windows, I reckon I'm gonna be destroyed... I haven't updated in ages, so anything that zonealarm misses is heading straight for me.

      --
      im in ur .sig, writin ur memes.
    3. Re:Details: by EndlessNameless · · Score: 5, Informative

      It listens on those ports. It only infects through 445. Block incoming on that port (which 99.9% of home users can do without problems), and you're safe. For those who actually need that port for https... well, consider linux. :) Although, MS does have a workaround for it.

      --

      ---
      According to the latest ruleset, this post should be modded as Vorpal Flamebait +5.
    4. Re:Details: by JamesTRexx · · Score: 5, Informative

      https is on 443, so no problem there...

      --
      home
    5. Re:Details: by SatanicPuppy · · Score: 5, Interesting

      It comes with a firewall, but it's like that thing with Outlook where you can tell it "Don't let me download anything that might harm my computer" a handy function that protects you from ever downloading anything, or opening any attachment.

      When you turn the firewall on, it blocks a ton of ports, which may or may not include ports it should block (telnet). Needless to say there isn't any way to configure which ports. It's all or nothing.

      I've got it on, but god knows if its doing any good, as its behind 2 better firewalls.

      Hmmm. Lol. Okay, I just portscanned myself, and despite my setting it to dump ALL non established incoming tcp/ip, it doesn't block a bunch of ports (below), including IIS and 445, though it does block SSH and telnet (then again, those services might not be available for my version of windows, so who the hell knows?)

      In conclusion, it sucks, and it won't protect you from this virus.

      7/tcp open echo
      9/tcp open discard
      13/tcp open daytime
      17/tcp open qotd
      19/tcp open chargen
      135/tcp open msrpc
      139/tcp open netbios-ssn
      445/tcp open microsoft-ds
      1025/tcp open NFS-or-IIS
      1026/tcp open LSA-or-nterm
      1027/tcp open IIS
      5000/tcp open UPnP

      --
      ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
  2. KB835732 by thebra · · Score: 5, Interesting

    The company that I work at pushed the KB835732 patch out to a few thousand machines. It caused some incompatability issue that cause Windows to blue screen with the error "Winsrv.dll missing or corrupt", its been a blast removing the patch through recovery console, especially walking remote users through it.

  3. Hmmm.... by Mz6 · · Score: 5, Informative
    For some reason the poster left out the following, critical, piece of information (oh.. and for those that don't RTFA). This virus uses the exact same flaw as the Sasser virus -- LSASS Buffer Overrun Vulnerability. What's weird is that the infections are still climbing meaning that after almost 2 months (patch released on April 13) and a HUGE rash of infections from Sasser, there are some folks that have still refused to apply the Microsoft patch. As much as I hate to say it, IMHO, they almost deserve it...

    For those that have just come out from their rock, here is a removal tool for this latest worm

    And IIRC, shouldn't any good (read: non-XP) firewall automatically be blocking these ports (or atleast 445) right out-of-the-box?

    --
    Hmmm.
    1. Re:Hmmm.... by eln · · Score: 5, Informative

      You can run windows update and get security patches and any other updates available through that medium on a pirated copy without any trouble at all.

      Or, you know, so I've heard.

    2. Re:Hmmm.... by bigrat · · Score: 5, Insightful
      I work at the tech bench at Best Buy part-time.


      Despite the default config of 2k/XP to inform you that updates are available, we've been fixing hundreds of machines infected with Sasser, and even Blaster. Users simply ignore the update warning, or outright refuse to run it. One user mentioned "Why would I need to run that?"


      Even Microsoft can't prevent ignorance.

  4. Advisory by michaelhood · · Score: 5, Informative

    Symantec's Advisory. Listens on TCP ports 113, 2041, and 3067. 113 is identd, 2041 is interbase, 3067 seems invented. Firewall as appropriate.

  5. Re:Details: , Issued: April 13, 2004 by Steve_Jobs_HNIC · · Score: 5, Informative

    Microsoft Security Bulletin MS04-011
    Security Update for Microsoft Windows (835732)

    Issued: April 13, 2004
    Updated: May 4, 2004
    Version: 1.3

  6. Worm vs Virus by DJ-Dodger · · Score: 5, Informative

    If you "just get it" without having to run anything, it's a worm, not a virus. It's not complicated.

  7. Re:Morbo? by bennomatic · · Score: 5, Funny

    Don't blame me, I voted for Kodos!

    --
    The CB App. What's your 20?
  8. Not surprising. by AbyssLeaper · · Score: 5, Insightful

    Let's not forget that most users (which wouldn't be reading /.) don't have any idea about this stuff. This confuse virus scanners with firewall, and think patching is something you do with clothes. So no, they don't really deserve it.

    Like it or not, they want their PC to work like their television. As much as you or I don't like it, they are the people that are keeping Windows suppport folks employed.

    I can't say how many times I've helped with someone's machine, and they've had multiple virus infections, spyware and general crap on their machine because they don't know any better. It's a fact of life that Microsoft is going to have to own up to if they want to stay on top. They raised the beast, now they need to teach it the rules.

    --
    It's 11PM, do you know where your pants are?
    1. Re:Not surprising. by tdemark · · Score: 5, Insightful
      If say Linux/OSX was the #1 Joe Consumer OS then it would have virus like this.

      Ummm.... no.

      The output of 'netstat' on a default Mac OS X box:
      tcp4 0 0 127.0.0.1.631 *.* LISTEN
      tcp4 0 0 127.0.0.1.1033 *.* LISTEN
      G'head. Try to remote exploit.

      - Tony
  9. Re:Darwinism by GoofyBoy · · Score: 5, Funny

    >Are people really this daft?

    Yes. Welcome to reality, enjoy your stay.

    --
    The surprise isn't how often we make bad choices; the surprise is how seldom they defeat us.
  10. Hey! How come the Microsoft Site by Anonymous Coward · · Score: 5, Funny

    is not slashdotted? They are running Windows Server 2003 with IIS and everyone here knows that is bad...

  11. Not Exactly... by mexnix · · Score: 5, Informative

    F-Secure Weblog says Korgo doesn'ts install a key logger by default, but that the "cracker team" uses Korgo's backdoor to do so. So, you wont necessarily have the key logger installed if you have any of the Korgo variants. At least, none up to this point...

  12. Easy fix by staticdaze · · Score: 5, Funny

    Just cache all your passwords and credit card info in your browser's form remembering thing.

  13. Remember Passwords by picklepuss · · Score: 5, Funny

    Thank God I trust Internet Explorer enough to remember my bank password for me... now I don't have to worry about viruses that log my keystrokes!

  14. So you do all routine maintenance right? by Scott+Richter · · Score: 5, Insightful
    I wish that, just once, a lot of people will get ripped off. The credit card companies will cover any losses (they have to by law), and people will actually realise that yes, keeping up to date with patches is a good idea.

    It's easy for us to say that, we're computer users who (presumably) know what we're doing. But if one is to condemn non-patchers in that way - I assume you also change your oil every 3000 miles, go to the dentist every 6 months, floss daily, get an annual physical, clean the lint filter in your dryer after every load, eat 6 daily servings of vegetables, rotate your tires every 20,000 miles, have all your car's factory recalls done, change the air filters in your heater monthly, and perform all the other mindless routine maintenance you're supposed to do.

    The bottom line is, no one on earth outside the most anal retentive person alive does all that stuff. Not doing any of them could have consequences, but people simply don't have time to do all this shit.

    So yes, I do blame microsoft. One shouldn't have to constantly check symantec's web page just to keep your computer usable. Computers are appliances now. They should just work, dammit.

  15. The part of the story Slashdot didn't report by Overly+Critical+Guy · · Score: 5, Insightful

    What a surprise it wasn't mentioned that this was patched months ago, right?

    This vulnerability is the LSASS Buffer Overrun Vulnerability, already patched way back on April 13. Slashdot probably had at least two or three articles on it back then as well if you wanna do a search for "sasser."

    If you haven't patched after two months, you're just the same as all those people who got hit with Blaster, which was also already patched beforehand. Linux distros issue security patches for their vulnerabilities weekly and nobody complains, but when Microsoft releases a patch, suddenly it's this huge issue to run a tiny executable that plugs security flaws, and then people bitch at Windows two months later when a virus comes out to exploit it...

    Just saying. How can one criticize their security if they won't apply their security patches? Almost all major software is gonna require a patch eventually. I don't get this steadfast need to avoid patching Windows boxes while freely recompiling Linux kernels on a whim for production servers when a minor point release comes out.

    --
    "Sufferin' succotash."
    1. Re:The part of the story Slashdot didn't report by foidulus · · Score: 5, Insightful

      Certain places can't just go and blindly patch. If you are running anything critical, you have to throroughly test the patch befor you apply it. If the patch brings down your application/business, then it might not be much worse than a virus. I don't know about Linux, but Microsoft has released some bad patches in the past(that would slow certain functions down to a crawl).
      For someone sitting at their pc, the risk of a patch is low, but some people cannot afford to risk their systems on haphazard patching.

  16. "Windows Users Fear Korgo Virus" by bfg9000 · · Score: 5, Funny

    "Windows Users Fear Korgo Virus" screams the headline, reading not so much like news as just another WindowsXP sales pitch. Yes, it's true -- Windows users DO fear the Korgo virus, while the insignificant and ostracized Mac and Linux users of the world are left, yet again, fearing only the sheer and utter BOREDOM of not having any viruses or trojans to fix due to their curious choice of OS. In the area of viruses, trojans, and worms, Linux and the Mac really do stand out as being "second class citizens", trapped in a virus-free ghetto with no salvation in sight. The discrepancy is so obvious, the ultra-competitive Microsoft doesn't even feel the need to buy themselves an Official Gartner Group Research Study to prove that Windows is light-years ahead in this area. Even the most staunch Linux or Mac advocate is forced to admit it -- off the record, of course. Virus writers, known to be excellent coders who take pride in their tight, bugfree code, have overwhelmingly standardized on Microsoft Windows as their targeted system of choice in the deployment of their ongoing suite of virus applications.

    And it doesn't look like the situation is going to get better any time soon.

    One bearded Linux coder, who refused to be identified publicly, confessed "we just don't have the selection -- or quality -- of viruses on our platform that is available to Windows users free of charge. And it's tearing us up inside knowing that the battle is over, and Microsoft has clearly won." Similarly, a guy with an Apple logo shaved into the back of his head admitted the following once we turned off the cameras. "I don't mean to break ranks and insult our software selection," he whispered furtively, "but usually if we DO manage to get a virus that will even install on OS X, it's not that great, and we're left... disappointed, realizing that if we had simply stuck with the unwashed smelly masses, we too could be enjoying a daily barrage of free software delighting us by installing itself on our computers as a surprise gift. Instead, I'm stuck with the weak consolation prize of 40 Academy Awards for my work on Lord Of The Rings. But it's not the same. No amount of awards or million dollar paycheques can heal the feelings of neglect or massive abandonment issues this whole thing has given me."

    "Is this the reason so many people choose Windows?", his innocent young son, Moof, asked me, looking like the kid off the Dave software box.

    "What do you think, little one? Look at the Windows dominance in the virus field, then look at the marketshare of Windows. That ain't no coincidence, Moof. The other guys just can't keep up with the Microsoft Juggernaut. Microsoft is fighting hard to keep themselves Number One, just like the Titanic was the biggest and bestest ship, or the Hindenberg was the coolest and most flammable Zeppelin, or the dinosaurs were the toughest animals ever. How do you compete with that?"

    =============

    Yes, sitting here at my desk 16 hours later, WindowsXP Restore Disks in hand, I can't help but let a little smile shine across my face. Those poor fools, I think, using a non-Microsoft OS really does take away most of the joy of computing and replaces it with all that productivity and recreation crap. And where's the challenge in that?

    Please insert Microsoft Windows XP Restore Disk 2

    Ahhh, I sigh contentedly. It's gonna be a long night.

    --

    I'm not normally an irrational zealous dickhead, but I figure "When in Rome..."