Korgo Spreads Its Wings

By | June 3, 2004

Seems like the big anti-virus boys are waking up to Korgo, the ‘phishing worm’ that F-Secure was warning about a few days ago.

Symantec have just issued an advisory upgrading W32.Korgo.F, a new variant of the worm, from a Level 2 to a Level 3 threat. As Symantec says, W32.Korgo.F is a worm that attempts to propagate by exploiting a Microsoft Windows vulnerability publicly announced on April 13, 2004, the LSASS Buffer Overrun Vulnerability. This vulnerability allows a hacker, in the words of Symantec, “to execute malicious code on a vulnerable system, resulting in full system compromise.”

But what I don’t understand is that Symantec don’t indicate the real threat behind this worm: That it steals passwords. And no mention of the keylogging properties of Korgo (sometimes called Padobot or Lsabot) on Sophos or McAfee (which has found a seventh variant, but measures all the threats as low). Even a more detailed explanation on Virusdesk doesn’t refer to the keylogging capability. Why is that?

F-Secure point out that “this latest worm makes it possible to gain access to secure passwords and other valuable information, such as credit card numbers.  Banking information is especially vulnerable as this is essentially a keylogging virus.” I can’t see Symantec mentioning this key bit of information, which as UK-based Netcraft points out“represents an alarming advance in phishing, as it forgoes the need to trick the end user into divulging details.”

End users: Symantec recommends that users update their antivirus definitions and configure their firewalls to block ports 113 and 3067.