Korgo Worm Detection

critical Nessus Plugin ID 12252

Language:

Synopsis

The remote host is probably infected with the Korgo worm.

Description

Nessus found that TCP ports 113 and 3067 are open.
The Korgo worm is known to open a backdoor on these ports.
It propagates by exploiting the LSASS vulnerability on TCP port 445 (as described in Microsoft Security Bulletin MS04-011)

** Note that Nessus did not try to talk to the backdoor,
** so this might be a false positive.

Solution

Disable access to port 445 by using a firewall. Additionally, apply Microsoft MS04-011 patch.

See Also

http://www.nessus.org/u?0648f11d

https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2004/ms04-011

Plugin Details

Severity: Critical

ID: 12252

File Name: korgo.nasl

Version: 1.21

Type: remote

Family: Backdoors

Published: 5/26/2004

Updated: 11/15/2018

Configuration: Enable paranoid mode

Supported Sensors: Nessus

Vulnerability Information

Required KB Items: Settings/ParanoidReport

Reference Information

MSFT: MS04-011

MSKB: 835732