Weekly Report on Viruses and Intrusions – Six Korgo variants, Downloader.JH and IPScanner.A

Like its predecessors, the six Korgo variants -T, S, R, Q, P, O and N- that we refer to in this report take advantage of the Windows LSASS vulnerability to spread automatically to computers via the Internet. Even though these malicious codes affect all Windows platforms, they can only spread automatically to Windows XP/2000 computers.

Korgo variants S, R, Q, P and O connect to several websites in an attempt to download files from them. They also send information on the country in which the affected computer is to those websites. Korgo.T opens port 3067 and listens on it, waiting for a file in order to run it on the affected computer. It also tries to connect to several IRC servers in order to allow remote control commands to be run.

In order to go unnoticed by users and unlike other malicious code that exploit the LSASS vulnerability to affect computers, these Korgo variants do not display an error message with a countdown clock or restart the affected computer.

The Trojan in today’s report is Downloader.JH, which obtains information from the affected computer and downloads a dialer onto it (detected by Panda Software as Dialer.DA). It also creates the following files on the target computer: D1K.EXE, OLE32WS.DLL and CAX.CAB.

Downloader.JH is difficult to recognize, as it does not display any messages or warnings that indicate it has reached the computer. The Trojan does not spread automatically using its own means. It needs the attacker’s intervention to reach affected computers through various means of transmission (floppy disks, CD-ROMs, e-mail messages with attached files, Internet downloads, FTP, IRC channels, peer-to-peer -P2P- file sharing networks, etc.).

We are going to finish this week’s report with IPScanner.A, a tool designed to monitor computers within Microsoft networks. IPScanner.A does not show any messages or warnings that reveal its presence on the affected computer.