The author of the Korgo family of worms seems to be carrying out experiments with new variants aimed at catching users off guard, leading one anti-virus vendor to raise the Threat Level and warn of a 'serious epidemic'.

''We have not been able to determine to goal of this worm's creator,'' says Luis Corrons, head of PandaLabs, an arm of Panda Software, a Glendale, Calif.-based virus and intrusion prevention company. ''The amount of work being put into the development of the Korgo variants would suggest that this is more than just someone having a bit of fun. This is also far form the the typical virus strategy of simply getting as many variants in circulation as quickly as possible to infect as many computers as possible, as they have taken the trouble to make their creations delete their own predecessors.''

The Korgo family is made up of network worms that propagate using the LSASS exploit. According to Panda Software analysts, these worms try to lay low when they infect computers and therefore users don't see tell-tale signs, such as continuous restarts, in infected computers. They also can, depending on the variant, delete certain files, open communication ports and try to connect to various IRC servers.


Another important characteristic is that some of the Korgo worms use mutex or mutual exclusion objects, reports Panda analysts. These objects can control access to system resources and prevent more than one process from using the same resource at the same time.

One of the mutex created by these malicious codes is called ''utermXX'' -- XX is a number and apparently sequential. So while Korgo.C uses the mutex ''utwrm7'', Korgo.J uses ''uterm12''. This would imply that there are at least 12 versions of the worm. In this case, a version is a virus that has substantially different characteristics to its predecessors.

Panda also reports that there are other lesser variants, differing only fractionally from the original version. This is the case for example with Korgo.K and Korgo.L, created by introducing minor modifications to the original code.

These malicious codes also alter the Windows Registry, with each new variant removing the changes made by its predecessors and making new changes. This means that the order in which they have been created can be traced by the changes that they make. For example, Korgo.D deletes the entries created by Korgo.F, implying that Korgo.D is actually a more recent creation.

Panda's Corrons says he believes the worm's author or authors are trying to fine tune the malicious code to create a highly damaging example that will take users by surprise. It would, nevertheless, be a 'silent' epidemic, as one of the main features of the Korgo worms is that their actions can go unnoticed by users.

Users should install software patches, as well as update their anti-virus software.