Print

Print


Virus definitions that detect/protect against Phatbot/Polybot are now
installed on the central servers and are pushing out to desktops.

Suggestions from Symantec to additionally protect against Phatbot/Polybot:

1. Create a secure password. This threat takes advantage of weak network
passwords. (A full-time Internet connection, such as DSL or Cable, is
considered a network connection for these purposes.)  To receive advice
about creating secure passwords visit:

<http://www.us-cert.gov/cas/tips/ST04-002.html>


2. Patch the DCOM RPC vulnerability as described in Microsoft Security
Bulletin MS03-026:

<http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx>

3. Patch the WebDav vulnerability as described in Microsoft Security
Bulletin MS03-007:

<http://www.microsoft.com/technet/security/bulletin/MS03-007.mspx>

No stand-alone tools to remove Phatbot/Polybot are available from the
regular organizations as of yet.


Stefanie


On Fri, 19 Mar 2004, Stefanie Ploof wrote:

> Phatbot was reported to us last week by a reporter from the Washington
> Post (sigh), but no reputable antivirus organizations that we could locate
> were providing protection from Phatbot and I didn't see any firsthand
> infections to submit to Symantec, so we instead blocked the ports on
> which it travels.  As of today Symantec has finally detected Phatbot as
> W32.HLLW.Polybot.  Virus definitions for March 19 (intelligent update) or
> March 24 (live update) will detect Phatbot, but they are not out yet.
>
> Symantec's write-up:
>
> http://www.sarc.com/avcenter/venc/data/w32.hllw.polybot.html
>
> A much more eloquently written account from LURHQ:
>
> http://www.lurhq.com/phatbot.html
>
> I'll update the lists when there are tools/defs for removal.
>
>
> Stefanie
>