Back to all announcements

Finjan Software Proactively Protects Against Original Korgo Worm, Both Existing and Future Variants

14 June 2004: Multiple variants of the recent Korgo worm have begun appearing on systems around the world. Finjan Software has assigned this worm and its variants as having a ‘medium’ level of threat.

The Korgo worm and all its variants exploit the vulnerability identified in Microsoft Security Bulletin MS04-011 on April 13, 2004. The worm targets the Microsoft Local Security Authority Subsystem Service (LSASS), which provides an interface for managing local security, domain authentication and active directory processes.

The worm spreads by scanning randomly selected IP addresses for vulnerable systems (through port 445) and on locating a vulnerable unpatched system. It then copies itself to the WINDOWS SYSTEM directory under a random name and adds a value to the registry run key, which allows the worm to propagate upon start-up of the computer.

The LSASS.exe process will crash after the worm exploits the Windows LSASS vulnerability. Windows will then display an alert and shut down the system.

The worm links to a remote access server that allows the attacker to control the infected system. The worm listens on TCP ports 113, 3067 and a random port and attempts to connect to a list of pre-defined IRC servers, to receive commands and transmit data to the attacker.

System Protection
Owners of Finjan Software desktop solutions, SurfinShield Corporate and SurfinGuard Pro are proactively protected against the worm in real-time, without the need to download signature-file updates.

Using a behaviour-based technique known as "sandboxing," these products protect computer users from mobile malicious code received through the Internet, e-mail, peer-to-peer (P2P) applications, instant messengers and IRC communications. The technology examines mobile code, scripts, processes and various applications - including the Windows LSASS client (‘Lsass.exe’) - and blocks any malicious behaviour originating from the network.

"Finjan’s behaviour-based sandboxing technique was successful in blocking the Korgo worm from propagating during the initial hours of the outbreak, prior to the availability of signature-file updates from anti-virus vendors and will continue to protect owners of its software against future variants and similar future attacks," confirms Nick Sears, vice president, EMEA.

For more information please contact:
Alison Sambrook
+44 (0) 1344 427127
Sarah Bramley/Laura Slade
+44 (0) 1252 727313