W32.Bolgi.Worm

Printer Friendly Page

Discovered: November 20, 2003
Updated: November 21, 2003 3:52:16 PM
Systems Affected: Windows

W32.Bolgi.Worm is a network aware worm that propagates by exploiting the Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability (BID 8205) using TCP port 445. The worm will only target Windows 2000 and Windows XP machines.

Discovered: November 20, 2003
Updated: November 21, 2003 3:52:16 PM
Systems Affected: Windows

W32.Bolgi.Worm is a network aware worm that propagates to Windows 2000 and Windows XP hosts by exploiting the Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability (BID 8205). when the worm is executed it will create a mutex called 'Bolgimo', if this procedure fails, the worm will exit.

Next to hook system startup the worm will create the following registry entry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"RPC Patcher" = <the path to the worm executable>

The worm will then send a HTTP request to a web site, this request increments a counter that is used by the worms author to keep track of the number of infected hosts.

It then downloads attempts to download and run the Microsoft patch MS03-026 that is applicable for the compromised machine. The file 'RPC_VIRUS.txt' is then dropped on the current users desktop. This file contains the following text:
!!!!!!!!! YOUR COMPUTER IS VULNERABLE TO THE RPC EXPLOIT !!!!!!!!!

THE PATCH HAS AUTOMATICALLY BEEN DOWNLOADED TO YOUR DESKTOP AND IS RUNNING NOW
PLEASE FOLLOW ITS INSTRUCTIONS

AFTER IT IS INSTALLED, RUN A VIRUS SCAN IMMEDIATELY
IT IS EVEN RECCOMMENDED TO REFORMAT YOUR SYSTEM(don't forget to patch afterwards)

The Microsoft security bulletin and patch download location is at:
www.microsoft.com <exact URL removed>.

Look for any suspicious programs running in your task manager and go to start->run and type 'msconfig'. Go to the last tab, 'Startup' and look for anything that's suspicious such as 'mscfg.exe', 'program.exe', 'svhost.exe' or something. If you find anything like this, uncheck the checkbox next to it and it will be disabled. If you see 'RPC Patcher' and 'rpcpatcher.exe' that is this program. It would be nice if you left it checked for a while so your computer could help others patch thier systems, but if you really want you can uncheck it and/or delete rpcpatcher.exe from your system folder. Doing a search at www.google.com for anything suspicous you find is also a good idea.

A virus or trojan horse exploiting this bug in Microsoft Windows NT/2000/XP/2003 could have already done anything to your computer. One way you might know you have been infected is when Windows opens an message box saying it will shut down in 60 seconds, but it may not. This program that created this message was brought to you by using the RPC vulnerability. Don't worry though, this program is totally harmless. It is named 'rpcpatch.exe' and will be in your system folder to run on startup so it can warn others that they are vulnerable and should patch. It runs a TFTP server to send this program to others to patch their systems.
This notification program will only spread to Windows 2000 or Windows XP computers, but it will run on Windows NT/2003 computers to download and run the patch for them and look for others to notify. A statistics page to see how many computers this program has patched is at www.nedstatbasic.net <exact URL removed>.

------ TELL OTHERS TO PATCH THEIR SYSTEMS AND VISIT WINDOWSUPDATE.COM OFTEN ------


Thank you.

The worm then launches this text file in the default text editor.

Next the worm opens a URL to the MS03-026 advisory on www.microsoft.com. The worm will then spawn a tftp server thread. Additionally the worm will spawn an attack thread. The attack thread will perform the following procedures:
First the attack thread will generate a random IP address to attack.
Next it transmits an exploit to that machine. If the exploit attempt is successful the remote compromised system will connect back with a command shell to the attacking system on port 5732.
Finally the attacking thread transmits a command to the remote compromised system, this command invokes tftp to transfer the worm executable file from the attacking system to the remote compromised system, and starts the worm executable on the newly compromised host.

Finally the worm will kill processes that have the following names, a popup message will be displayed for each process that is found and killed.
Loginui32.exe
SysOps
windows33.exe
Hxdef
msfnt32i
sysclean.exe
pipecmd
psexec
nvnav32g
ESPLORER.EXE
prox.exe
Hello-Kitty.exe
Shell321.exe
Dllexe32.exe
sysctl.exe
winsys.com
svhost
netsyn32.exe
hkcmd
netsys32.exe
sysgen.exe
evilbot.exe
acebot
litmus
FreeXXXvideo_Dedector.exe
cracker.exe
swon4.exe
GT Bot.a.exe
wSys32.exe
cc-verify-and-cracker.exe
11SETUP.EXE
arial.exe
windowsupdater.exe
WinBooster.exe
Warez_SearchV6.exe
Virus-Cleaner.exe
gtupdatesetup.exe
EXPL32.EXE
Syschk.exe
winupdate.exe
tweak.exe
moveis.exe
speed.exe
PipeCmdSrv.exe
wserver.exe
Sexy.exe
DropperPorn.exe
redcodesetup.exe
Quick-Silver-Set-Up.exe
Cmmgr32.com
BinLaden.mpg.exe
Porn.exe
HotSex.exe
Uninstal.exe
PhornoScript.exe
PHORNO.EXE
wSys.exe
nPatch-IT.exe
Fonts.fnt
bot.exe
undelete.exe
NoHack.exe
Ocxdll
Igmp.exe
MIMIC.EXE
winini32.exe
arialfont.exe
arial.com
ariali.exe
xxvideo.exe
system.exe
s1etup.exe
internetbooster.exe
gay_teens.exe
ZDFJEW.EXE
SystemCONF98i.exe
newkernal982i.exe
mannager98a.exe
Nohack Virus Scan2 Setup.exe
free_bnc.exe
Netbus.exe
modemuncaper.exe
cleaner4.1.exe
Unpackedcleaner4.1.exe
cleaner14.1.exe
ftpsitefinder.exe
gtsetup.exe
application.exe
speedup2_3b.exe
DMSsetup-remover.exe
DALNetCleaner.exe
kernel33.exe
Microsoft.exe
Britney_spears_SS.exe
WHVLXD.EXE
Explored.exe
cleaner.11.exe
SYSCHECK.EXE
WSYSTEM.EXE
Cleanernew.exe
SYSTEM.EXE
britneyspearss.exe
BRITNEYSPEAR.scr
BOT.EXE
something.exe
main.exe
x1.exe
win32.exe
windows.pif
BLuESpYdER.exe
mimic.exe
I3Explorer.exe
mybot.exe
boxen.exe
egodsirc.exe
lol.exe
svchost32.exe
winipcnfg.exe
Blaster.exe
billy.exe
pepsi.exe
baby-f-pic.jpg.exe
expl32.exe
Anti_Net_Bus.exe
svost.exe
Syscfg32.exe
Sys3f2.exe
Sysmon16.exe
Cnfgldr.exe
temp.exe
ntservice.exe
penis32.exe
TEEKIDS.EXE