Skip to main content
Skip to main content
Microsoft Security Intelligence
Cart 0 items in shopping cart
Sign in
Published Jan 25, 2005 | Updated Sep 15, 2017

Worm:Win32/Korgo.AE

Detected by Microsoft Defender Antivirus

Aliases: W32/Korgo.worm.ae (McAfee) W32.Korgo.AE (Symantec)

Summary

Win32/Korgo.AE.worm is a network worm that targets computers running Microsoft Windows XP or Windows 2000 that do not have Microsoft Security Update MS04-011 installed. The worm also monitors TCP ports and opens a backdoor to allow unauthorized access to infected computers. A computer infected with this worm may A computer infected with this worm display an LSA crash dialog box and may crash and reboot unexpectedly.
To manually recover from infection by Win32/Korgo.AE.worm, perform the following steps:
  1. Stop the computer from restarting
  2. Disconnect from the Internet
  3. Delete the worm files from the computer
  4. Delete the worm registry entry
  5. Restart your computer
  6. Take steps to prevent re-infection

Stop the computer from restarting

To manually recover from this infection, you must prevent the computer from spontaneously rebooting by disabling system shutdown.
To disable system shutdown
  1. Click Start, and then click Run.
  2. In the Open field, type shutdown -a
  3. Press Enter.

Disconnect from the Internet

To help ensure that your computer is not actively infecting other computers, disconnect it from the Internet before proceeding. Print this Web page or save a copy on your computer; then unplug your network cable and disable your wireless connection. You can reconnect to the Internet after completing these steps. 

Delete the worm files from the computer

To delete the worm files from the computer
  1. Click Start, and click Run.
  2. In the Open field, type %System%
  3. Click OK.
  4. Click Name to sort files by name.
  5. If <random>.msc or <random>32.dll are in the list, delete them.
  6. On the Desktop, right-click the Recycle Bin and click Empty Recycle Bin.
  7. Click Yes.
This removes the worm code from your computer.
If deleting files fails, use the following steps to verify that <random>.msc or <random>32.dll are not running:
  1. Press CTRL+ALT+DEL once and click Task Manager.
  2. Click Processes and click Image Name to sort the running processes by name.
  3. Confirm that <random>.msc or <random>32.dll are not in the list.

Delete the worm registry entry

To delete the worm registry entry
  1. On the Start menu, click Run.
  2. Type regedit and click OK.
  3. In the left pane, navigate to the registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\DataAccess
  4. In the right pane, right-click the following value, if it exists:
    Database
  5. Click Delete and click Yes to delete the value.
  6. In the left pane, navigate to the registry: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
  7. Right-click the value <random_CLSID>.
  8. Click Delete and click Yes to delete the value.
  9. In the left pane, navigate to the registry key: HKEY_CLASSES_ROOT\CLSID
  10. Right-click the subkey <random_CLSID> and click Delete. This key has a subkey InprocServer32 with a default value containing data %System%\<random>32.dll. The subkey <random_CLSID> matches the name of the value in registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks.
  11. Close the Registry Editor.

Restart your computer

To restart your computer
  1. On the Start menu, click Shut Down.
  2. Select Restart from the drop-down list and click OK.

Take steps to prevent re-infection

Do not reconnect your computer to the Internet until the computer is protected from re-infection. See the "Preventing Infection" section for more information.
Follow us