- Joined
- 21 Sep 2002
- Messages
- 3,484
Originally posted by rushm001
Sinster could just delete his first post and it would be gone, right?
Or if you ask nicely enough Enyo will do it.
I didn't mean Sinster. Me getting my threads confused.
Originally posted by rushm001
Sinster could just delete his first post and it would be gone, right?
Or if you ask nicely enough Enyo will do it.
Originally posted by ReC0iL
My computer keeps shutting down by itself.... A little window pops up and says "The system is shutting down. Please save all work in progess and log off" "Any unsaved changes will be lost" "The shutdown was iniciated by NT AUTHORITY\SYSTEM.... Then there is a message that says... " Windows must restart because the Remote Procedure Call (RPC) terminated unexpectedly." Can someone PLEASE help me... How do I fix this???
Originally posted by -kReV-
NAME: RPC
ALIAS: Exploit.Win32.Autorooter, RPC-1, Cirebot, Downloader-DM
A set of files using a security vulnerability in Windows operating system was found around 19:00 GMT on saturday 2nd of August, 2003.
Scenario looked bad in the beginning, as the package contained files with names such as rpc.exe and worm.exe.
After detailed analysis, we can confirm that this is not a worm at all. It does not even attempt to spread further from affected hosts.
The vulnerability being used here is MS03-026, "Buffer Overrun In RPC Interface". http://www.microsoft.com/technet/security/bulletin/MS03-026.asp This vulnerability was discovered on July 16th, 2003.
This program will create these files to local hard drive:
rpc.exe
rpctest.exe
tftpd.exe
dcomx.exe
lolx.exe
worm.exe
Rundown of the files:
Worm.exe is a self-extracting archive that will create rpc.exe, rpctest.exe and tftp.exe.
Tftp.exe is a normal tftp server utility.
Rpctest.exe and rpc.exe are part of autorooter.zip tool, released around 30th of June. Rpctest.exe uses the known RPC exploit to spawn a remote shell which listens at TCP port 57005. It contains the text "USE THE FORZ LUKE!" Rpc.exe contains text "rpc autorooter by ERIC". These programs are written which Microsoft Visual Basic.
Dcomx.exe and lolx.exe are based on older backdoors and are already detected by F-Secure Anti-Virus as variants of "Sdbot". For more information on Sdbot irc-based backdoors, see: http://www.f-secure.fi/v-descs/sdbot.shtml
So, all files are accounted for. There's no worm here. If somebody would be sitting at the IRC channel and giving commands manually to affected machines, he could get the tool propogated from one machine to another. But that wouldn't be automatic.
We recommend all users apply the Microsoft patch (available from the above Microsoft link). Also, blocking TCP ports 135, 139 and 445 in your local firewall will help. F-Secure Distributed Firewall blocks these by default.
Affected Software:
- * Microsoft Windows NT® 4.0
* Microsoft Windows NT 4.0 Terminal Services Edition
* Microsoft Windows 2000
* Microsoft Windows XP
* Microsoft Windows Server™ 2003
Not Affected Software:
- * Microsoft Windows Millennium Edition