[Dshield] New Virus information

Deb Hale haled at pionet.net
Fri Nov 21 16:43:29 GMT 2003


Symantec has posted information about a new virus on their web site. The
name of the virus is W32.Bolgi.Worm.  You may want to take a look at the
information about it
http://securityresponse.symantec.com/avcenter/venc/data/w32.bolgi.worm.html.
I can just see some unsuspecting user falling for this social engineering
trick.  

Here is an excerpt from Symantec on the text contents of the email:

!!!!!!!!! YOUR COMPUTER IS VULNERABLE TO THE RPC EXPLOIT !!!!!!!!!

THE PATCH HAS AUTOMATICALLY BEEN DOWNLOADED TO YOUR DESKTOP AND IS RUNNING
NOW
PLEASE FOLLOW ITS INSTRUCTIONS

AFTER IT IS INSTALLED, RUN A VIRUS SCAN IMMEDIATELY
IT IS EVEN RECCOMMENDED TO REFORMAT YOUR SYSTEM(don't forget to patch
afterwards)

The Microsoft security bulletin and patch download location is at: 
www.microsoft.com <exact URL removed>.

Look for any suspicious programs running in your task manager and go to
start->run and type 'msconfig'. Go to the last tab, 'Startup' and look for
anything that's suspicious such as 'mscfg.exe', 'program.exe', 'svhost.exe'
or something. If you find anything like this, uncheck the checkbox next to
it and it will be disabled. If you see 'RPC Patcher' and 'rpcpatcher.exe'
that is this program. It would be nice if you left it checked for a while so
your computer could help others patch thier systems, but if you really want
you can uncheck it and/or delete rpcpatcher.exe from your system folder.
Doing a search at www.google.com for anything suspicous you find is also a
good idea.

It appears to be using TCP port 5732, 445, and 69.

Thought you might like to know.  Deb






More information about the list mailing list