W32.Korgo may have a bigger appetite for destruction than first thought.
When it first came on the scene last month, the worm was largely dismissed as just another Sasser replica that posed little threat to machines patched against the LSASS buffer-overflow vulnerability in Windows XP and 2000.
Now that 12 variants of Korgo have appeared in quick succession, antivirus experts worry its maker is fine-tuning the code and using the LSASS flaw as a test bed for a more damaging assault in the future.
"My concern is the malicious code writers behind Korgo are getting more and more experience with this," said Patrick Hinojosa, chief technology officer for Panda Software of Glendale, Calif., which has posted a
Unlike Sasser, which tore across the Internet and attacked machines around the world; Korgo's variants try to lay low when they infect computers, making it difficult for users to see tell-tale signs of trouble like continuous restarts. They can also, depending on the variant, delete certain files, open communication ports and try to connect to various IRC servers. Hinojosa said this is further evidence that Korgo's creator is fishing for a new attack route.
Hinojosa said those most at risk at this point are home users who don't have the same experience with patches as IT managers who maintain bigger, company networks. His advice to people: "Make sure your firewall and antivirus protection are up to date and keep your eye on new security bulletins and patches."
Microsoft's April 13 security bulletin offers full details on the LSASS vulnerability and the patches to fix it.
Daniel Jackson, president and chief operating officer of Dallas-based DeepNines Technologies, said his company has also detected increased Korgo activity, especially since the weekend.
"We see it spreading more rapidly," Jackson said. "They're sniffing around for any little tweak that will let them slip through. They're getting smarter."