F-Secure Virus Descriptions : Korgo

Summary

Korgo (aka Padobot) is a network worm written by the Russian Hangup Team virus group. It spreads throughout the Internet using a vulnerability in Microsoft Windows LSASS. A description of the vulnerability can be found in Microsoft Security Bulletin MS04-011:

http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

Description of Korgo.A variant can be found here: http://www.f-secure.com/v-descs/korgo_a.shtml

Description of Korgo.E variant can be found here: http://www.f-secure.com/v-descs/korgo_e.shtml

Description of Korgo.F variant can be found here: http://www.f-secure.com/v-descs/korgo_f.shtml

Description of Korgo.G variant can be found here: http://www.f-secure.com/v-descs/korgo_g.shtml

Description of Korgo.H variant can be found here: http://www.f-secure.com/v-descs/korgo_h.shtml

Description of Korgo.P variant can be found here: http://www.f-secure.com/v-descs/korgo_p.shtml

Description of Korgo.Q variant can be found here: http://www.f-secure.com/v-descs/korgo_q.shtml

Description of Korgo.T variant can be found here: http://www.f-secure.com/v-descs/korgo_t.shtml

Description of Korgo.U variant can be found here: http://www.f-secure.com/v-descs/korgo_u.shtml

Detection

Detection of Korgo.A was published on May 24th, 2004 in the following update:

Version=2004-05-24_02

Detection of Korgo.B was published on May 21st, 2004 in the following update:

Version=2004-05-21_02

Detection of Korgo.C as well as generic detection was published on May 26th, 2004 in the following update:

Version=2004-05-26_02

Detection of Korgo.G was published on June 2nd, 2004 in the following update:

Version=2004-06-02_03

Information about detection of other Korgo variants can be obtained from the descriptions created for these particular variants.

Back to the Top

Write-up: F-Secure Corporation, May-June 2004

Description Updated: Alexey Podrezov, June 24th, 2004