Weekly report on viruses and intrusions – Plexus.B, Korgo.H and Korgo.I, and the Trojan Downloader.GK
This week’s report on viruses and intrusions will deal with three worms: Plexus.B, Korgo.H and Korgo.I, and the Trojan Downloader.GK.
Plexus.B is a variant that bears a lot of similarities to the original worm and uses various means of propagation. It can enter computers directly from the Internet by exploiting the LSASS Windows vulnerability and it can send itself as attachment to an e-mail message. It is also designed to spread across networks and using the file-sharing program (P2P) KaZaA.
Even though Plexus.B can only directly enter computers running Windows XP or 2000, it can still affect other Windows platforms. In these cases however, it needs the user to execute the infected file.
Plexus.B modifies the Windows host file, overwriting its content. In this way, it prevents the user from accessing the website of a well-known antivirus company.
Korgo.H and Korgo.I are two new members of this prolific family of worms that exploit the Windows LSASS vulnerability. By using this operating system flaw, they spread across the Internet and automatically enter computers. Like Plexus.B, the two variants of Korgo also affect all Windows platforms, although they only automatically infect systems running XP and 2000.
Once they install themselves on a computer, Korgo.H and Korgo.I open several TCP ports and wait to receive a file to run on the infected computer. To this end, they also try to connect to several IRC servers.
Finally, Downloader.GK is a Trojan that downloads and runs two adware programs (Adware/BetterInet and Adware/SearchCentrix) on the infected computer. It doesn’t spread on its own, but is downloaded from certain web pages when the user accepts the installation of a specific ActiveX control.