W32.Korgo family of worms

Discovery began in May 2004

The W32.Korgo family of network worms began to surface in May 2004 and several variants have been released since that time. These worms propogate using the following vulnerabilities including:

  • Exploits the Microsoft Windows Local Security Authority Service Remote Buffer Overflow (described in Microsoft Security Bulletin MS04-011).
  • It also listens on TCP port 113 and other random ports between 2000 and 8192.


You can find more information and removal instructions as well as tools for each variant from Symantec from the following links: