Discovered on: June 01, 2004
Description: W32.Korgo.F is a minor variant of
W32.Korgo.E. It is a worm that attempts to propagate by exploiting the
Microsoft Windows LSASS Buffer Overrun Vulnerability (BID 10108) on TCP
port 445. It also listens on TCP ports 113, 3067, and other random ports.
Removal Instructions For Symantec & Norton Users:
- Disable System Restore (Windows Me/XP).
- Update the virus definitions.
- Restart the computer in Safe mode or VGA mode.
- Run a full system scan and delete all the files detected as
W32.Korgo.F.
- Reverse the changes made to the registry.
Removal Instructions For Mcafee Users:
WindowsME
1. Right click the My Computer icon on the Desktop and click on
Properties.
2. Click on the Performance tab.
3. Click on the File System button.
4. Click on the Troubleshooting tab.
5. Put a check mark next to 'Disable System Restore'.
6. Click the 'OK' button.
7. You will be prompted to restart the computer. Click Yes.
Note: To re-enable the Restore Utility, follow steps one to seven and
on step five remove the check mark next to 'Disable System Restore'.
WindowsXP
Disabling the System Restore Utility (Windows XP Users)
1. Right click the My Computer icon on the Desktop and click on
Properties.
2. Click on the System Restore tab.
3. Put a check mark next to 'Turn off System Restore on All Drives'.
4. Click the 'OK' button.
5. You will be prompted to restart the computer. Click Yes.
