Korgo Worms onto the Net

A virus that was first seen on May 22nd has been worming its way across the Internet, stealing personal information in the process. Dubbed “Korgo,” the worm exploits the same vulnerabilities and spreads in the same way as the Sasser worm that caused havoc last month.

Although the virus is not yet widespread, security companies like Symantec and F-Secure have issued warnings because of Korgo’s effectiveness at obtaining personal financial information.

On Friday, Symantec upgraded the threat level due to an increase in submissions.

How the Worm Turns

Officially known as W32.Korgo, the worm can propagate by exploiting a Microsoft Windows vulnerability first announced in mid-April, the Microsoft LSASS buffer overrun vulnerability. The threat affects users of Windows 2000 and Windows XP.

Korgo spreads via the Web, which means that it does not need to be launched by a user, as e-mail viruses do.

Security firm F-Secure has noted that the worm is written by the Russian Hangup Team virus group. There are a number of variants, and the virus is currently up to Korgo.E.

Korgo is one of a number of viruses that have appeared since Microsoft’s announcement of the vulnerability. Antivirus firm Sophos has reported that it detected 959 new viruses during May. The company also estimates that there are approximately 90,000 viruses in circulation.

The reason for such a high number of living viruses is that very few ever get exterminated, F-Secure system engineer Tony Magallamez told the E-Commerce Times. “With any infection on the Internet, you see [their] decline,” he said, “but they don’t die.”

Getting It Right

Although there were some reports that the virus contained a key-logger that could capture a user’s keystrokes, that information has turned out to be incorrect, said Graham Cluley, Sophos senior technology consultant, in an interview with the E-Commerce Times.

He noted that the virus opens up a backdoor through which a hacker could enter and install a key-logger program undetected; however, Korgo itself does not contain such an application.

Another misleading report that has cropped up is that Korgo is designed specifically to target credit card numbers and passwords, and was created for that purpose.

Magallamez said that the worm is not quite that unique. Like others of its kind, it can harvest any information that is on an infected PC. It also has the ability to connect to an outside server and follow commands from that machine.

“It’s not really a groundbreaking virus,” said Magallamez. “It’s just trying to take advantage of machines that haven’t been patched yet.”

F-Secure has warned that if Korgo gets onto an unpatched machine, it can be effective at getting personal data like passwords and credit card numbers. But Magallamez noted that the level for worry is low. “It hasn’t even reached our second level of alert,” he said.

Wake Up Call

Because Korgo exploits the same vulnerability that Sasser did, it only affects those computer users and businesses that did not install a security patch during the Sasser threat.

For this reason, only a small number of users should be affected. “You’ll get it if you slept through Sasser,” Cluley said. “And of all the worms to sleep through, it’s likely not many people missed that one, given all the attention it received.”

Cluley added that it is more likely that home users will be more affected than businesses, since they are not as diligent about installing security patches. But even most home users should have taken some action, given the amount of viruses that have appeared since the Sasser worm.

“My advice for anyone worried about the Korgo worm is to apply the patch, for goodness sake,” said Cluley. “How many more alarm calls do you need?”