News  
   Documentation  
  Help   		Training 
Labs
Contacts 		 Connecting
About   
Purchases		 Policies
TTU Home  
ITS Home


Korgo Worm

About Korgo

 Removal Tool Disable
System Restore		 Running a scan Get Symantec
(for TTU Students)

About KOrgo

From: Symantec's Security Response site

This worm does not enter via email.  It infects your machine due to a known Microsoft operating system vulnerability (described in Microsoft Security Bulletin MS04-011).  You are protected if all your Microsoft operating system Critical Updates are current and were actually successfully installed.

Systems which can be infected include:  Windows 95/98/NT/2000/XP and Windows Server 2003,
 

REMOVAL for Windows 2000 and XP

  1. Download the FixKorgo.exe to a convenient location, such as your desktop (courtesy of Symantec).
  2. Download the Microsoft patch for this vulnerability:
  3. Close all programs before running the tool.
  4. Disconnect your computer from the network and the Internet.
  5. If you are running Windows Me or XP, disable System Restore (Instructions below).
    Caution: If you are running Windows XP, do not skip this step.
  6. Be sure you are logged on to your system with administrative rights.
  7. Double-click the FixKorgo.exe file to start the removal tool.
  8. Click Start to begin the process, and then allow the tool to run.
  9. NOTE:  If you are UNABLE to get the FixKorgo program to run due to rebooting, you must open your system in SAFE MODE and run the program.  (Additional instructions at Symantec)
  10. Restart the computer.
  11. Run the removal tool again to ensure that the system is clean.
  12. Install the Microsoft patch for this vulnerability by double clicking on the file you downloaded and then following the instructions in the wizard.
  13. If you are running Windows XP, next re-enable System Restore (Instructions below).
  14. Reconnect to the network.
  15. Be sure you have installed all Critical Updates to your operating system.
    (If you are on ResNet, do this after you been unblocked).

ResNet students who have been disconnected will have to call
the ResNet Help Line (372-6566) to be reconnected to the network. 
It may take some time to be confirmed clean and reconnected.

Remember that Symantec Antivirus is available for download to enrolled TTU students.

Disabling System Restore in Windows XP

  • Click Start.
  • Right-click My Computer
  • Select  Properties from the floating menu.
  • Click the System Restore tab.
  • Select Turn off System Restore check box.
  • Click Apply.
  • Click Yes in message box.
  • Click OK.

After the worm is removed, restart your computer and follow the steps above to deselect "Turn off System Restore".

Running a Scan with Norton Antivirus

  • Click on the yellow shield in the bottom right corner (system tray).
  • Click Scan Computer in the left menu.
  • Check the box to select C: (Local Drive)
  • Click the Scan button at the bottom of the window.

Faculty and staff who need additional assistance, please contact MicroSupport@tntech.edu (372-6315)
or their College MicroSupport contact

 

Maintained by:  Academic Computing Support Last updated: August 30, 2004
TTU Home     ITS Home     Contacts     News
Copyright © Tennessee Technological University. All rights reserved.
Information Technology Services, Box 5071— Clement Hall 220, Cookeville, Tennessee 38505   Phone: 931.372.3387