Summary:  A new variant of the Korgo worm is reported to be spreading throughout the Internet. This worm propagates by expoliting a vulnerability in LSASS (the same vulnerability detailed in ALARM Alert 050304-01). Machines compromised by this worm may reboot themselves automatically after displaying an error with LSASS. Infected systems may also begin scanning the network for new victims, resulting in increased network traffic, etc and poor or sluggish system performance.

Recommended Actions:  Microsoft systems that have been patched as per Security Bulletin MS04-011 should be invulnerable to this expolit. It is recommended that you read bulletin MS04-011 and (if appropriate)apply the patches imediately. Update your Anti-virus software definitions to the latest versions immediately. The latest Symantec definitions are believed to be effective at catching this infection.

ITS Actions:  At this time, ITS is blocking TCP port 445 (the method of propagation for the Korgo worm) on our router but otherwise is taking no specific actions to counter this threat. An update will be issued if this situation changes.

Resources:
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

http://www.sarc.com/avcenter/venc/data/w32.korgo.q.html

http://vil.nai.com/vil/content/v_126343.htm

Removal Tool:
http://securityresponse.symantec.com/avcenter/venc/data/w32.korgo.removal.tool.html

NOTE:  PLEASE DO NOT REPLY TO THIS ALERT.  Alerts distributed by ALARM are not intended to supplant whatever security measures you are currently following. Technology coordinators, as well as the entire Ualbany computing community should continue to take all necessary precautions against threats to system security and information integrity.

---

Current Students  |  New Students  |  Distance Learners  |  Faculty  |  New Faculty  |  Staff Training  |  Schedules / Hours  |  Forms  |  FAQs & User Guides  |  Policies  |  About ITS  |  Home