Antivirus vendors are warning Microsoft Windows XP and 2000 users of multiple strains of the W32.Korgo worm, which exploits the LSASS buffer-overflow vulnerability announced April 13.
Some experts noted that the spread of the worm is remarkable, given when a patch was issued for the vulnerability.
"Anyone who is being infected by Korgo must have slept through the Sasser, Dabber and Cycle worms, which all exploited the same Microsoft vulnerability," said Graham Cluley, senior technology consultant at UK-based Sophos Antivirus. "Any company taking security seriously put the Microsoft patch in place and got their firewalls in order weeks ago, and should have nothing to worry about when it comes to Korgo."
However, those that aren't patched should be concerned.
"W32.Korgo.F includes backdoor functionality that could leave systems open to unauthorized access," Alfred Huger, senior director, Symantec Security Response, said in a statement. "This backdoor functionality could result in a loss of confidential data and may also compromise security settings."
Due to the increase in prevalence, the Symantec Security Response Team has upgraded the Korgo.F worm from a Level 2 to a Level 3 threat.
Symantec said Korgo.F will listen on TCP ports 113 and 3067. The company urged users to apply the patch provided by Microsoft as soon as possible, update antivirus definitions and configure firewalls to block ports 113 and 3067. An upswing in traffic through those ports could signal an infection.
All strains of the Korgo worm are essentially the same, Mikko Hypponen, director of antivirus research for Helsinki, Finland-based F-Secure Corp., said in a statement. The keylogging worm uses the LSASS flaw to insert itself into the Windows XP and 2000 OSes using a random file name and then infects random machines using their IP addresses. He classified the outbreak as a medium-size infection.
According to Hypponen, Korgo is the first automated network worm to target online banking systems.
"As it collects anything typed at the computer keyword, it basically targets any bank where users can access their account without a one-time password," said Hypponen. "All the online banking systems I've ever used (since 1990) use a one-time password (where you get a paper sheet with 100 or so passwords and use each only once), but many popular systems nowadays just rely on a user-chosen password, which obviously is not as safe. Korgo does specifically target at least three online banking systems." F-Secure did not identify specific banks in its news release. No one was immediately available for comment.