Discovered: November 20, 2003
Updated: February 13, 2007 12:14:06 PM
Type: Worm
Systems Affected: Windows 2000, Windows NT, Windows XP
W32.Bolgi.Worm is a worm that exploits the DCOM RPC vulnerability (described in
Microsoft Security Bulletin MS03-026) using TCP port 445. This worm attempts to download the file to the %WinDir%\system32 directory, and then execute it.
The worm targets only Windows 2000 and Windows XP machines. While Windows NT and Windows 2003 Server machines are vulnerable to the aforementioned exploit (if not properly patched), the worm is not coded to replicate to those systems.
Symantec Security Response recommends that you block access to TCP port 5732 at the firewall level, and then block the following ports (assuming you do not use the listed applications):
- TCP Port 445, "SMB"
- UDP Port 69, "TFTP"
Protection
-
Initial Rapid Release version November 21, 2003
-
Latest Rapid Release version July 19, 2008 revision 019
-
Initial Daily Certified version November 21, 2003
-
Latest Daily Certified version July 19, 2008 revision 018
-
Initial Weekly Certified release date November 26, 2003
Click for a more detailed description of Rapid Release and Daily Certified virus definitions.
Threat Assessment
Wild
-
Wild Level: Low
-
Number of Infections: 0 - 49
-
Number of Sites: 0 - 2
-
Geographical Distribution: Low
-
Threat Containment: Easy
-
Removal: Easy
Damage
Distribution
-
Distribution Level: Medium
Writeup By: Yuhui Huang
