Korgo Worm Targets LSASS Flaw

Anti-virus firms have detected yet another worm exploiting the Local Security Authority Subsystem Service (LSASS) vulnerability that was patched by Microsoft in its April batch of security updates.

The appearance of the W32.Korgo.B worm (also known as Padobot) spreading through the LSASS flaw is a clear indication that PC users have not yet applied the MS04-011 security fix issued by Microsoft on April 13.

According to research firm F-Secure, the network worm is capable of opening TCP ports 113, 3067 and 2041 to receive commands from the virus writers.

“The worm chooses the IP addresses of random machines to infect and attack, similar to other worms which exploit the same LSASS vulnerability,” the company said in an advisory.

The worm attempts to connect to several IRC servers to receive commands and transmit data.

Symantec also issued a separate advisory with a warning that the Korgo worm could open a back door through which an attacker could obtain remote access without authorization.

The appearance of Korgo follows a string of low-impact exploits targeting the LSASS hole. In May, the Sasser worm (W32.Sasser.A) and several variants caused some disruption on corporate networks before Microsoft issued a removal tool to slow the spread of the worm.

The software giant is also working on a plan to include worm removal tools in a new feature called Microsoft Update that’s on schedule for release by this year’s end. With the proliferation of destructive worms like Blaster, NetSky and Sasser escalating daily to pose an ever-greater threat to home users, Microsoft plans to release the new Microsoft Update as part of the larger Windows Update patch management platform.

Depending on the threat level of malicious worms, the software giant will automate the worm removal process. This goes beyond Microsoft’s latest moves to create disinfection tools to deal with major virus outbreaks.