NEWS FROM THE LAB - Thursday, June 3, 2004

The full picture on Korgo, Padobot and Padodor Posted by Mikko @ 17:48 GMT

Ok, the situation with Korgo is a bit confusing, let me try to explain what's going on.

- Most variants of Korgo are spreading worldwide. The numbers are not big when compared to outbreaks like Sasser, but it's definitely out there.

- Korgo does include a backdoor

- But Korgo does not include a keylogger, nor any code to steal banking info etc.

- It seems that the Hangup Team (virus group behind the worm) is actively installing a backdoor with password stealing capabilities known as Padodor to the infected computers. This is done via the backdoor left by Korgo.

- Padodor collects anything typed to any web forms, and specifically logs bank logins for users of some international banks

This gets pretty confusing, as "Padobot" (not Padodor) is one of the aliases of the Korgo worm.

So, not all machines infected by Korgo have the Padodor backdoor, and the Padodor backdoor can be found from machines which are not infected by Korgo. But they are both written by the same virus group.