Six New Korgo Virus Variants Spotted

Weekly report on viruses and intrusions -
Virus Alerts, by Panda Software (http://www.pandasoftware.com)

Madrid, June 25 2004 - This week's report will focus on six Korgo variants,
the Downloader.JH Trojan and a hacking tool called IPScanner.A.

Like its predecessors, the six Korgo variants -T, S, R, Q, P, O and N- that
we refer to in this report take advantage of the Windows LSASS vulnerability
to spread automatically to computers via the Internet. Even though these
malicious codes affect all Windows platforms, they can only spread
automatically to Windows XP/2000 computers.

Korgo variants S, R, Q, P and O connect to several websites in an attempt to
download files from them. They also send information on the country in which
the affected computer is to those websites. Korgo.T opens port 3067 and
listens on it, waiting for a file in order to run it on the affected
computer. It also tries to connect to several IRC servers in order to allow
remote control commands to be run.

In order to go unnoticed by users and unlike other malicious code that
exploit the LSASS vulnerability to affect computers, these Korgo variants do
not display an error message with a countdown clock or restart the affected
computer.

The Trojan in today's report is Downloader.JH, which obtains information
from the affected computer and downloads a dialer onto it (detected by Panda
Software as Dialer.DA). It also creates the following files on the target
computer: D1K.EXE, OLE32WS.DLL and CAX.CAB.

Downloader.JH is difficult to recognize, as it does not display any messages
or warnings that indicate it has reached the computer. The Trojan does not
spread automatically using its own means. It needs the attacker's
intervention to reach affected computers through various means of
transmission (floppy disks, CD-ROMs, e-mail messages with attached files,
Internet downloads, FTP, IRC channels, peer-to-peer -P2P- file sharing
networks, etc.).

We are going to finish this week's report with IPScanner.A, a tool designed
to monitor computers within Microsoft networks. IPScanner.A does not show
any messages or warnings that reveal its presence on the affected computer.

For further information about these and other computer threats, visit Panda
Software's Virus Encyclopedia at:
http://www.pandasoftware.com/virus_info/encyclopedia/

Additional information

- Dialer: this is a program that is often used to maliciously redirect
Internet connections. When used in this way, it disconnects the legitimate
telephone connection used to hook up to the Internet and re-connects via a
premium rate number. Often, the first indication a user has of this activity
is an extremely expensive phone bill.

- Hacking tool: program that can be used by a hacker to carry out actions
that cause problems for the user of the affected computer (allowing the
hacker to control the affected computer, steal confidential information,
scan communication ports, etc.).

More definitions of virus and antivirus terminology at:
http://www.pandasoftware.com/virus_info/glossary/default.aspx

NOTE: The addresses above may not show up on your screen as single lines.
This would prevent you from using the links to access the web pages. If this
happens, just use the 'cut' and 'paste' options to join the pieces of the
URL.