This week's report on viruses and intrusions will deal with three worms: Plexus.B, Korgo.H and Korgo.I, and the Trojan Downloader.GK.
Plexus.B is a variant that bears a lot of similarities to the original worm and uses various means of propagation. It can enter computers directly from the Internet by exploiting the LSASS Windows vulnerability and it can send itself as attachment to an e-mail message. It is also designed to spread across networks and using the file-sharing program (P2P) KaZaA.
Even though Plexus.B can only directly enter computers running Windows XP or 2000, it can still affect other Windows platforms. In these cases however, it needs the user to execute the infected file.
Plexus.B modifies the Windows host file, overwriting its content. In this way, it prevents the user from accessing the website of a well-known antivirus company.
Korgo.H and Korgo.I are two new members of this prolific family of worms that exploit the Windows LSASS vulnerability. By using this operating system flaw, they spread across the Internet and automatically enter computers. Like Plexus.B, the two variants of Korgo also affect all Windows platforms, although they only automatically infect systems running XP and 2000.
Once they install themselves on a computer, Korgo.H and Korgo.I open several TCP ports and wait to receive a file to run on the infected computer. To this end, they also try to connect to several IRC servers.
Finally, Downloader.GK is a Trojan that downloads and runs two adware programs (Adware/BetterInet and Adware/SearchCentrix) on the infected computer. It doesn't spread on its own, but is downloaded from certain web pages when the user accepts the installation of a specific ActiveX control.
For further information about these and other computer threats, visit Panda Software's Encyclopedia.
- Port / Communication port: Point through which a computer transfers information (inbound / outbound) via TCP/IP.
- P2P (Peer to peer): A program -or network connection- used to offer services via the Internet (usually file sharing), which viruses and other types of threats can use to spread. Some examples of this type of program are KaZaA, Emule, eDonkey, etc.
On receiving a possibly infected file, Panda Software's technical staff get straight down to work. The file is analyzed and depending on the type, the action taken may include: disassembly, macro scanning, code analysis etc. If the file does in fact contain a new virus, the disinfection and detection routines are prepared and quickly distributed to users.