The Korgo worm, just like Sasser, exploits the LSASS vulnerability to spread rapidly across the Internet. But unlike Sasser, Korgo tries to lay low when it infects computers. Users won't see tell-tale signs such as continuous restarts in infected computers. Korgo will, however, depending on the variant, delete certain files, open communication ports, and try to connect to various IRC servers.

Another important characteristic is that some of the Korgo worms use mutex (mutual exclusion objects). These objects can control access to system resources and prevent more than one process from using the same resource at the same time. One of the mutex created by these malicious codes is called "utermXX" (XX is a number -- apparently sequential). So while Korgo.C uses the mutex "utwrm7," Korgo.J uses "uterm12." This would imply that there are at least 12 versions of the worm (in this case, a version is a virus that has substantially different characteristics to its predecessors). In addition, there are other lesser variants, differing only fractionally from the original version. This is the case for example with Korgo.K and Korgo.L, created by introducing minor modifications to the original code.

These malicious codes also alter the Windows Registry, with each new variant removing the changes made by its predecessors and making new changes. This means that the order in which they have been created can be traced by the changes that they make. For example, Korgo.D deletes the entries created by Korgo.F, implying that Korgo.D is actually a more recent creation.

"We have not been able to determine the goal of this worms creator," said Luis Corrons, head of Panda Labs. "The amount of work being put into the development of the Korgo variants would suggest that this is more than just someone having a bit of fun. This is also far from the typical virus strategy of simply getting as many variants in circulation as quickly as possible to infect as many computers as possible, as they have taken the trouble to make their creations delete their own predecessors."

It appears that the creators are trying to fine tune the malicious code in order to create a highly damaging example that will take users by surprise. It would, nevertheless, be a silent epidemic, as one of the main features of the Korgo worms is that their actions can go unnoticed by users.

One seemingly contradictory detail is that despite such technical ingenuity, Korgo uses the LSASS vulnerability to propagate and will therefore cease to spread as users install the patch to fix this flaw in Windows. This may not be a problem for its creators because, as Corrons explains: "The creator of the worm could exploit other vulnerabilities as they are discovered. This is why it is advisable to keep an eye on the new variants which will no doubt appear. The sooner the creator is caught the better."

To prevent incidents involving the Korgo worms, Panda Software advises users to take precautions and update their antivirus software. The company has already made the updates to its products available to users to ensure their solutions can detect and eliminate these malicious codes. To keep Korgo and its variants at bay, it is essential to apply the patch released by Microsoft to fix the LSASS vulnerability.