The Korgo L and P variants are highlighted today for unpatched MS04-011 workstations or servers. The author continues to improve the worm capabilities with each release.
KORGO.L http://secunia.com/virus_information/10136/korgo.l/ http://www.sarc.com/avcenter/venc/data/w32.korgo.l.html http://www.trendmicro.com/vinfo/virusencyc...me=WORM_KORGO.L
W32.Korgo.L is a variant of W32.Korgo.I. This worm attempts to propagate by exploiting the Microsoft Windows LSASS Buffer Overrun Vulnerability (described in Microsoft Security Bulletin MS04-011) on TCP port 445. It also listens on TCP ports 113, 3067, and other random ports (256-8191).
KORGO.P http://secunia.com/virus_information/10138/korgo.p/ http://vil.nai.com/vil/content/v_126341.htm http://www.f-secure.com/v-descs/korgo_p.shtml
This worm exploits vulnerable Microsoft Windows systems. The worm scans IP addresses in the class A or class B subnets as well as random IP addresses, sending SYN packets on TCP port 445 to identify potential victims. Exploit code is then sent to the host to overflow a buffer in LSASS.EXE and excute the virus on the victim system.
This Korgo (aka Padobot) variant was found on June 17th, 2004. It is a bit modified comparing to previous Korgo variants. Korgo.P worm spreads throughout the Internet using a vulnerability in Microsoft Windows LSASS. A description of the vulnerability can be found in Microsoft Security Bulletin MS04-011: http://www.microsoft.com/technet/security/...n/MS04-011.mspx