Korgo Clarified

By | June 4, 2004

More on Korgo; I wish I could say it was the last. But the good news is that it does not seem to be the all-in-one ‘phishing worm’ F-Secure said it was.

F-Secure has clarified the situation over the Internet worm Korgo, which seems to answer some of the questions in my earlier posting. Korgo does not include a keylogger, nor any code to steal banking info. But, F-Secure says, “it seems that the Hangup Team (virus group behind the worm) is actively installing a keylogging trojan known as Padodor to the infected computers.” This is done via a backdoor left by Korgo.

Padodor collects anything typed to any web forms, and specifically logs bank logins for users of some international banks. Padodor is not the same as Padobot, which is one of the aliases of Korgo. Bottom line, according to F-Secure: “Not all machines infected by Korgo have Padobot, and Padobot can be found on machines which are not infected by Korgo.” (In fact, I may be wrong but I think F-Secure mean Padodor here: “Not all machines infected by Korgo have Padodor, and Padodor can be found on machines which are not infected by Korgo.” No?

The thing here is that a worm does the distribution work, infecting computers. Then there’s the bot, or trojan, that is the payload. This is the bit that does the money-generating work. That can either be loaded onto computers as part of the original worm, or else it can be loaded later via the backdoor left by the original worm. So here F-Secure has mistakenly assumed the keylogging bit was part of Korgo, which it wasn’t.