Error

rushm001

In the beginning......
Political Access
Joined
21 Sep 2002
Messages
3,484
Originally posted by rushm001
Sinster could just delete his first post and it would be gone, right?

Or if you ask nicely enough Enyo will do it.

I didn't mean Sinster. Me getting my threads confused.
 

GoNz0

NTFS Stoner
Joined
4 Mar 2002
Messages
2,781
i dare say if someone posted this on the main page we could help out those getting affected.
 

SPeedY_B

I may actually be insane.
Joined
31 Mar 2002
Messages
15,807
Everyne needs to visit windowsupdate a little more often, the patch has been there since July 16th ;)
 
K

-kReV-

Guest
NAME: RPC
ALIAS: Exploit.Win32.Autorooter, RPC-1, Cirebot, Downloader-DM

A set of files using a security vulnerability in Windows operating system was found around 19:00 GMT on saturday 2nd of August, 2003.

Scenario looked bad in the beginning, as the package contained files with names such as rpc.exe and worm.exe.

After detailed analysis, we can confirm that this is not a worm at all. It does not even attempt to spread further from affected hosts.

The vulnerability being used here is MS03-026, "Buffer Overrun In RPC Interface". http://www.microsoft.com/technet/security/bulletin/MS03-026.asp This vulnerability was discovered on July 16th, 2003.

This program will create these files to local hard drive:


rpc.exe
rpctest.exe
tftpd.exe
dcomx.exe
lolx.exe
worm.exe

Rundown of the files:

Worm.exe is a self-extracting archive that will create rpc.exe, rpctest.exe and tftp.exe.

Tftp.exe is a normal tftp server utility.

Rpctest.exe and rpc.exe are part of autorooter.zip tool, released around 30th of June. Rpctest.exe uses the known RPC exploit to spawn a remote shell which listens at TCP port 57005. It contains the text "USE THE FORZ LUKE!" Rpc.exe contains text "rpc autorooter by ERIC". These programs are written which Microsoft Visual Basic.

Dcomx.exe and lolx.exe are based on older backdoors and are already detected by F-Secure Anti-Virus as variants of "Sdbot". For more information on Sdbot irc-based backdoors, see: http://www.f-secure.fi/v-descs/sdbot.shtml

So, all files are accounted for. There's no worm here. If somebody would be sitting at the IRC channel and giving commands manually to affected machines, he could get the tool propogated from one machine to another. But that wouldn't be automatic.

We recommend all users apply the Microsoft patch (available from the above Microsoft link). Also, blocking TCP ports 135, 139 and 445 in your local firewall will help. F-Secure Distributed Firewall blocks these by default.
 
K

-kReV-

Guest
i never thought for a minute it would get past me :p

just thought it weird why i saw so much crap happening across networks, thought i'd warn peeps here, but by the look of it had already been posted in anotherpart of the forum..
 

Alan

its only fun
Joined
16 May 2002
Messages
640
Heres how I have just got around this to-night...[well so far and yes my fingers are crossed]
Right click my computer>select manage>select "Services and Applications>select "Services" and scroll down to Remote Procedure Call (RPC) go to the recovery tab and select restart the sevice in all 3 options....
This should stop your pc from re-booting everytime it gets the error [fingers crossed again]

Now go to this link
http://microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp
and download the patch for xp

Now what I done was saved the download to my desktop....rebooted and disconected from the internet and then run the download....

It has now been 3 hours and I have had no "error messages from NT Authority\System32 bla bla bla

I then went here http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MSBLAST.A
and followed the instructions to remove MSBLAST.EXE

I hope this procedure works for you
Alan
 

apu95

Caffeine-->Code Converter
Joined
25 Apr 2002
Messages
502
restarting automatically??

my backup pc is restarting automatically, i get this type of message.
"your system is being shutdown, save everything.....the shutdown is being started by the NT AUTHORITY/SYSTEM
time left:"


how can i shut this off??

thx,
Apu
 

albybum

Penguin Rancher
Joined
9 Feb 2002
Messages
281
Jeez, this thing has been a major pain-in-the-bum today. 3 of my close friends were hit by this thing.

Running a packet sniffer on my cable network showed about half of the traffic earlier today was related to this exploit and those 3 ports that it opens.

This was a nasty problem.
 

dubstar

format c:
Joined
3 Dec 2002
Messages
1,357
i cant disable the RPC, Norton Auto-Protect wont enable, and i cant run Live Update... windowsupdate.microsoft.com wont work....

am i screwed? *this is my moms computer*...


edit: oh, i also cant click on Links to microsofts website, or symatic site.... or any other thread containing information to fix this other than this one...

wtf is going on!!
 
T

tWiZzLeR

Guest
1. Boot up your computer
2. Await the message informing you of the shutdown in 60 seconds
3. open up start > run and type in "shutdown.exe -a" (minus the quotes)
4. Now that the shutdown procedure has stopped, you have time to grab the patch
5. Once you're all patched, use a virus scanner to check if you have one of the variations that leaves files on your hdd

The patch is available from here: MS03-026
Just scroll down towards the bottom and find the patch relative to your o/s.
 
F

Folci

Guest
this is a been a HUGH problem lately I have repaired 5 computers with this so far today... first thing is go and remove it from starting up... delete anything in start-up folder with Webdev or tftp in it... also do a search for files and folders with tftp in it... there should be only one c:\windows\system32\tftp.exe if there is one in the dllcache, prefetch,startup or anywhere else delete them.... shut down the computer and unplug the i-net... do another search just to make sure... then install a firewall and antivirus... i perfer Norton Internet Security 2003 and Norton anti-virus 2003... do not plug in internet untill it askes for updates... update and reboot as nessacry till you got all of them... then after your done open your C:\windows\system32\ and just scan over it and norton will find even more spyware there... run a full virus scan... then use programs like ad-aware and spybot to get rid of any others while your at it... oh and of course the widows update would be a good idea too...
 

gothic

LinuXPert
Joined
9 Dec 2001
Messages
453
suffered the same fate last evening. did what speedy suggested (applied patch, updated my AVG antivirus and scanned system) all removed, all back to normal

Huge thanks to speedy

TOK
 
R

ReC0iL

Guest
Serious Problem

My computer keeps shutting down by itself.... A little window pops up and says "The system is shutting down. Please save all work in progess and log off" "Any unsaved changes will be lost" "The shutdown was iniciated by NT AUTHORITY\SYSTEM.... Then there is a message that says... " Windows must restart because the Remote Procedure Call (RPC) terminated unexpectedly." Can someone PLEASE help me... How do I fix this???


Threads Merged... AGAIN! :p

gonaads
 

gonaads

Beware the G-Man
Political Access
Joined
31 Mar 2002
Messages
18,474
Re: Serious Problem

Originally posted by ReC0iL
My computer keeps shutting down by itself.... A little window pops up and says "The system is shutting down. Please save all work in progess and log off" "Any unsaved changes will be lost" "The shutdown was iniciated by NT AUTHORITY\SYSTEM.... Then there is a message that says... " Windows must restart because the Remote Procedure Call (RPC) terminated unexpectedly." Can someone PLEASE help me... How do I fix this???



http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS03-026.asp


Originally posted by -kReV-
NAME: RPC
ALIAS: Exploit.Win32.Autorooter, RPC-1, Cirebot, Downloader-DM

A set of files using a security vulnerability in Windows operating system was found around 19:00 GMT on saturday 2nd of August, 2003.

Scenario looked bad in the beginning, as the package contained files with names such as rpc.exe and worm.exe.

After detailed analysis, we can confirm that this is not a worm at all. It does not even attempt to spread further from affected hosts.

The vulnerability being used here is MS03-026, "Buffer Overrun In RPC Interface". http://www.microsoft.com/technet/security/bulletin/MS03-026.asp This vulnerability was discovered on July 16th, 2003.

This program will create these files to local hard drive:


rpc.exe
rpctest.exe
tftpd.exe
dcomx.exe
lolx.exe
worm.exe

Rundown of the files:

Worm.exe is a self-extracting archive that will create rpc.exe, rpctest.exe and tftp.exe.

Tftp.exe is a normal tftp server utility.

Rpctest.exe and rpc.exe are part of autorooter.zip tool, released around 30th of June. Rpctest.exe uses the known RPC exploit to spawn a remote shell which listens at TCP port 57005. It contains the text "USE THE FORZ LUKE!" Rpc.exe contains text "rpc autorooter by ERIC". These programs are written which Microsoft Visual Basic.

Dcomx.exe and lolx.exe are based on older backdoors and are already detected by F-Secure Anti-Virus as variants of "Sdbot". For more information on Sdbot irc-based backdoors, see: http://www.f-secure.fi/v-descs/sdbot.shtml

So, all files are accounted for. There's no worm here. If somebody would be sitting at the IRC channel and giving commands manually to affected machines, he could get the tool propogated from one machine to another. But that wouldn't be automatic.

We recommend all users apply the Microsoft patch (available from the above Microsoft link). Also, blocking TCP ports 135, 139 and 445 in your local firewall will help. F-Secure Distributed Firewall blocks these by default.
 

gonaads

Beware the G-Man
Political Access
Joined
31 Mar 2002
Messages
18,474
The person that's got Windoz Me is probably laughin his ass off right about now...

Affected Software:
  • * Microsoft Windows NT® 4.0
    * Microsoft Windows NT 4.0 Terminal Services Edition
    * Microsoft Windows 2000
    * Microsoft Windows XP
    * Microsoft Windows Server™ 2003

Not Affected Software:
  • * Microsoft Windows Millennium Edition
 

Members online

No members online now.

Latest profile posts

Also Hi EP and people. I found this place again while looking through a oooollllllldddd backup. I have filled over 10TB and was looking at my collection of antiques. Any bids on the 500Mhz Win 95 fix?
Any of the SP crew still out there?
Xie wrote on Electronic Punk's profile.
Impressed you have kept this alive this long EP! So many sites have come and gone. :(

Just did some crude math and I apparently joined almost 18yrs ago, how is that possible???
hello peeps... is been some time since i last came here.
Electronic Punk wrote on Sazar's profile.
Rest in peace my friend, been trying to find you and finally did in the worst way imaginable.

Forum statistics

Threads
62,013
Messages
673,484
Members
5,609
Latest member
aawemainu