Win32.Worm.Korgo.P

( WORM_KORGO.P (Trend), W32/Korgo.P.worm (Panda) )

SYMPTOMS:

Presence of [rand].exe in %system% (e.g. C:\Windows\System32) folder and in processes list and presence in start-up registry key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" of the string "Windows Update" pointing to the above mentioned executable.

[rand] may be any combination of 5 to 12 random characters in lowercase.

TECHNICAL DESCRIPTION:

The worm spreads by exploiting the Microsoft Windows LSASS Buffer Overrun vulnerabilty (MS04-011).

When run it attempts to remove the file "ftpupd.exe", creates the mutex "uterm17" to avoid a duplicate process running simultaneously and if no error has occured it adjusts its token's privileges.

After that it tries to remove the following strings from the start-up key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run":
Windows Security Manager
Disk Defragmenter
System Restore Service
Bot Loader
SysTray
WinUpdate
Windows Update Service
avserve.exe
avserve2.exeUpdate Service
MS Config v13

At this time it also tries to kill the processes containing the processes having in their names one of the strings pointed to by the above mentioned names.

Next "HKLM\Software\Microsoft\Wireless" is checked for the presence of "ID" string; if it doesn't exist it is initialized with a string of 10 to 20 random characters.

Then it checks for "Windows Update" string in "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" key and if doesn't exist it creates that string pointing to a random generated file name from 5 to 12 characters [rand].exe and copies the worm to "%system%\[rand].exe". In this case it also sets a new string "Client" in "HKLM\Software\Microsoft\Wireless" with the value "1" and finally executes that copy of the worm and exits the current instance.

When run after it has self-installed or on "normal" start-up the worm tries to inject a thread into the first "Shell_TrayWnd" window class it finds and if it manages so it quits. Otherwise it does the following same things, as the injected thread does, from the main process:
- sets the following events: u10x, u11x, u12x, u13x, u14x, u15x and u16x
- creates the following mutexes: u8, u9, u10, u11, u12, u13, u13i, u14, u15, u16 and u17
- creates three threads used for spreading and checking for updates
- chosses a random port between 257 and 8191 excluding all multiples of 256 on which it creates a pseudo HTTP server managed by a new thread
- using the HTTP server the successful exploit fetches and executes a copy of the worm
- the delay between two update checks is randomly chosen from 400.2 to 700.2 seconds
- the update thread searches randomly the following sites for updates:
mazafaka.ru
xware.cjb.net
citi-bank.ru
konfiskat.org
adult-empire.com
parex-bank.ru
kidos-bank.ru
crutop.nu
kavkaz.tv
color-bank.ru
master-x.com
asechka.ru
fethard.biz
roboxchange.com
filesearch.ru
www.redline.ru
cvv.ru

Removal instructions:

Manual removal:
* open Task Manager by pressing [CTR]+[ALT]+[DEL] or [CTRL]+[SHIFT]+[ESCAPE] for Win2000/XP
* use End Process in Processes tab on [rand].exe
* open Registry Editor typing [WIN]+[R]regedit[ENTER]
* remove the HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update registry key
* delete %system%\[rand].exe
* restart the system

Automatic removal: let BitDefender disinfect infected files

ANALYZED BY:

Mircea Ciubotariu BitDefender Virus Researcher