Symantec upgrades Korgo threat

Symantec Security Response has upgraded the worm W32.Korgo.F from a level two to a level three threat following an increase in...

Symantec Security Response has upgraded the worm W32.Korgo.F from a level two to a level three threat following an increase in submissions in the past 12 hours. 
"W32.Korgo.F includes backdoor functionality that could leave systems open to unauthorised access," said senior director Alfred Huger.

"This backdoor functionality could result in a loss of confidential data, and may also compromise security settings. This threat is another strong example of why it is critical for computer users to be diligent in applying security patches, keeping virus definitions updated, and following best practices."

W32.Korgo.F, which was detected on 1 June, attempts to propagate by exploiting a Microsoft Windows vulnerability publicly announced on 13 April - Microsoft LSASS Buffer Overrun Vulnerability. This blended threat affects computer users on Windows 2000 and Windows XP.

Symantec said W32.Korgo.F will listen on TCP ports 113 and 3067 and could open back doors on those ports.

Threats to privacy and confidentiality have been the fastest growing threat in recent months, with the Symantec Internet Threat report released in March showing a 514% growth in volume of submissions within the top 10.

"The rising incidents of blended threats with the potential to open back doors, demonstrates the importance of an integrated approach to security within the infrastructure" said Kevin Isaac, regional director, Middle East and Africa.

"A firewall will block unusual port traffic by default, and, when combined with updated anti-virus and intrusion detection systems, offers top-level protection. If users are affected, there is a free removal tool, as well as manual removal instructions on"

Symantec advised users to apply the patch provided by Microsoft for the LSASS Buffer Overrun Vulnerability as soon as possible, and that users update their anti-virus definitions to prevent exploitation of this threat. Users should also check that their firewall is configured to block ports 113 and 3067.

More information and virus definitions are available at

Written by Computing SA staff

Read more on IT risk management