Error
- Thread starter Sinster
- Start date
K
-kReV-
Guest
NAME: RPC
ALIAS: Exploit.Win32.Autorooter, RPC-1, Cirebot, Downloader-DM
A set of files using a security vulnerability in Windows operating system was found around 19:00 GMT on saturday 2nd of August, 2003.
Scenario looked bad in the beginning, as the package contained files with names such as rpc.exe and worm.exe.
After detailed analysis, we can confirm that this is not a worm at all. It does not even attempt to spread further from affected hosts.
The vulnerability being used here is MS03-026, "Buffer Overrun In RPC Interface". http://www.microsoft.com/technet/security/bulletin/MS03-026.asp This vulnerability was discovered on July 16th, 2003.
This program will create these files to local hard drive:
rpc.exe
rpctest.exe
tftpd.exe
dcomx.exe
lolx.exe
worm.exe
Rundown of the files:
Worm.exe is a self-extracting archive that will create rpc.exe, rpctest.exe and tftp.exe.
Tftp.exe is a normal tftp server utility.
Rpctest.exe and rpc.exe are part of autorooter.zip tool, released around 30th of June. Rpctest.exe uses the known RPC exploit to spawn a remote shell which listens at TCP port 57005. It contains the text "USE THE FORZ LUKE!" Rpc.exe contains text "rpc autorooter by ERIC". These programs are written which Microsoft Visual Basic.
Dcomx.exe and lolx.exe are based on older backdoors and are already detected by F-Secure Anti-Virus as variants of "Sdbot". For more information on Sdbot irc-based backdoors, see: http://www.f-secure.fi/v-descs/sdbot.shtml
So, all files are accounted for. There's no worm here. If somebody would be sitting at the IRC channel and giving commands manually to affected machines, he could get the tool propogated from one machine to another. But that wouldn't be automatic.
We recommend all users apply the Microsoft patch (available from the above Microsoft link). Also, blocking TCP ports 135, 139 and 445 in your local firewall will help. F-Secure Distributed Firewall blocks these by default.
ALIAS: Exploit.Win32.Autorooter, RPC-1, Cirebot, Downloader-DM
A set of files using a security vulnerability in Windows operating system was found around 19:00 GMT on saturday 2nd of August, 2003.
Scenario looked bad in the beginning, as the package contained files with names such as rpc.exe and worm.exe.
After detailed analysis, we can confirm that this is not a worm at all. It does not even attempt to spread further from affected hosts.
The vulnerability being used here is MS03-026, "Buffer Overrun In RPC Interface". http://www.microsoft.com/technet/security/bulletin/MS03-026.asp This vulnerability was discovered on July 16th, 2003.
This program will create these files to local hard drive:
rpc.exe
rpctest.exe
tftpd.exe
dcomx.exe
lolx.exe
worm.exe
Rundown of the files:
Worm.exe is a self-extracting archive that will create rpc.exe, rpctest.exe and tftp.exe.
Tftp.exe is a normal tftp server utility.
Rpctest.exe and rpc.exe are part of autorooter.zip tool, released around 30th of June. Rpctest.exe uses the known RPC exploit to spawn a remote shell which listens at TCP port 57005. It contains the text "USE THE FORZ LUKE!" Rpc.exe contains text "rpc autorooter by ERIC". These programs are written which Microsoft Visual Basic.
Dcomx.exe and lolx.exe are based on older backdoors and are already detected by F-Secure Anti-Virus as variants of "Sdbot". For more information on Sdbot irc-based backdoors, see: http://www.f-secure.fi/v-descs/sdbot.shtml
So, all files are accounted for. There's no worm here. If somebody would be sitting at the IRC channel and giving commands manually to affected machines, he could get the tool propogated from one machine to another. But that wouldn't be automatic.
We recommend all users apply the Microsoft patch (available from the above Microsoft link). Also, blocking TCP ports 135, 139 and 445 in your local firewall will help. F-Secure Distributed Firewall blocks these by default.
K
-kReV-
Guest
i never thought for a minute it would get past me 
just thought it weird why i saw so much crap happening across networks, thought i'd warn peeps here, but by the look of it had already been posted in anotherpart of the forum..
just thought it weird why i saw so much crap happening across networks, thought i'd warn peeps here, but by the look of it had already been posted in anotherpart of the forum..
Heres how I have just got around this to-night...[well so far and yes my fingers are crossed]
Right click my computer>select manage>select "Services and Applications>select "Services" and scroll down to Remote Procedure Call (RPC) go to the recovery tab and select restart the sevice in all 3 options....
This should stop your pc from re-booting everytime it gets the error [fingers crossed again]
Now go to this link
http://microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp
and download the patch for xp
Now what I done was saved the download to my desktop....rebooted and disconected from the internet and then run the download....
It has now been 3 hours and I have had no "error messages from NT Authority\System32 bla bla bla
I then went here http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MSBLAST.A
and followed the instructions to remove MSBLAST.EXE
I hope this procedure works for you
Alan
Right click my computer>select manage>select "Services and Applications>select "Services" and scroll down to Remote Procedure Call (RPC) go to the recovery tab and select restart the sevice in all 3 options....
This should stop your pc from re-booting everytime it gets the error [fingers crossed again]
Now go to this link
http://microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp
and download the patch for xp
Now what I done was saved the download to my desktop....rebooted and disconected from the internet and then run the download....
It has now been 3 hours and I have had no "error messages from NT Authority\System32 bla bla bla
I then went here http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MSBLAST.A
and followed the instructions to remove MSBLAST.EXE
I hope this procedure works for you
Alan
apu95
Caffeine-->Code Converter
- Joined
- 25 Apr 2002
- Messages
- 502
restarting automatically??
my backup pc is restarting automatically, i get this type of message.
"your system is being shutdown, save everything.....the shutdown is being started by the NT AUTHORITY/SYSTEM
time left:"
how can i shut this off??
thx,
Apu
my backup pc is restarting automatically, i get this type of message.
"your system is being shutdown, save everything.....the shutdown is being started by the NT AUTHORITY/SYSTEM
time left:"
how can i shut this off??
thx,
Apu
albybum
Penguin Rancher
- Joined
- 9 Feb 2002
- Messages
- 281
Jeez, this thing has been a major pain-in-the-bum today. 3 of my close friends were hit by this thing.
Running a packet sniffer on my cable network showed about half of the traffic earlier today was related to this exploit and those 3 ports that it opens.
This was a nasty problem.
Running a packet sniffer on my cable network showed about half of the traffic earlier today was related to this exploit and those 3 ports that it opens.
This was a nasty problem.
bluzeboy
Bluzeboy
- Joined
- 9 Sep 2002
- Messages
- 709
error message
I get the following message,I’ve checked on that service & it appears to not contain the usual options ,it does’nt allow you to disable
http://www.sighost.us/members/bluzeboy/Snap1.jpg
I get the following message,I’ve checked on that service & it appears to not contain the usual options ,it does’nt allow you to disable
http://www.sighost.us/members/bluzeboy/Snap1.jpg
dubstar
format c:
- Joined
- 3 Dec 2002
- Messages
- 1,357
i cant disable the RPC, Norton Auto-Protect wont enable, and i cant run Live Update... windowsupdate.microsoft.com wont work....
am i screwed? *this is my moms computer*...
edit: oh, i also cant click on Links to microsofts website, or symatic site.... or any other thread containing information to fix this other than this one...
wtf is going on!!
am i screwed? *this is my moms computer*...
edit: oh, i also cant click on Links to microsofts website, or symatic site.... or any other thread containing information to fix this other than this one...
wtf is going on!!
T
tWiZzLeR
Guest
1. Boot up your computer
2. Await the message informing you of the shutdown in 60 seconds
3. open up start > run and type in "shutdown.exe -a" (minus the quotes)
4. Now that the shutdown procedure has stopped, you have time to grab the patch
5. Once you're all patched, use a virus scanner to check if you have one of the variations that leaves files on your hdd
The patch is available from here: MS03-026
Just scroll down towards the bottom and find the patch relative to your o/s.
2. Await the message informing you of the shutdown in 60 seconds
3. open up start > run and type in "shutdown.exe -a" (minus the quotes)
4. Now that the shutdown procedure has stopped, you have time to grab the patch
5. Once you're all patched, use a virus scanner to check if you have one of the variations that leaves files on your hdd
The patch is available from here: MS03-026
Just scroll down towards the bottom and find the patch relative to your o/s.
F
Folci
Guest
this is a been a HUGH problem lately I have repaired 5 computers with this so far today... first thing is go and remove it from starting up... delete anything in start-up folder with Webdev or tftp in it... also do a search for files and folders with tftp in it... there should be only one c:\windows\system32\tftp.exe if there is one in the dllcache, prefetch,startup or anywhere else delete them.... shut down the computer and unplug the i-net... do another search just to make sure... then install a firewall and antivirus... i perfer Norton Internet Security 2003 and Norton anti-virus 2003... do not plug in internet untill it askes for updates... update and reboot as nessacry till you got all of them... then after your done open your C:\windows\system32\ and just scan over it and norton will find even more spyware there... run a full virus scan... then use programs like ad-aware and spybot to get rid of any others while your at it... oh and of course the widows update would be a good idea too...
R
ReC0iL
Guest
Serious Problem
My computer keeps shutting down by itself.... A little window pops up and says "The system is shutting down. Please save all work in progess and log off" "Any unsaved changes will be lost" "The shutdown was iniciated by NT AUTHORITY\SYSTEM.... Then there is a message that says... " Windows must restart because the Remote Procedure Call (RPC) terminated unexpectedly." Can someone PLEASE help me... How do I fix this???
Threads Merged... AGAIN!
gonaads
My computer keeps shutting down by itself.... A little window pops up and says "The system is shutting down. Please save all work in progess and log off" "Any unsaved changes will be lost" "The shutdown was iniciated by NT AUTHORITY\SYSTEM.... Then there is a message that says... " Windows must restart because the Remote Procedure Call (RPC) terminated unexpectedly." Can someone PLEASE help me... How do I fix this???
Threads Merged... AGAIN!
gonaads
- Joined
- 31 Mar 2002
- Messages
- 18,474
Members online
No members online now.
Affiliates
Latest profile posts
Xie wrote on Electronic Punk's profile.
Impressed you have kept this alive this long EP! So many sites have come and gone.
Just did some crude math and I apparently joined almost 18yrs ago, how is that possible???
Just did some crude math and I apparently joined almost 18yrs ago, how is that possible???
Electronic Punk wrote on Sazar's profile.
Rest in peace my friend, been trying to find you and finally did in the worst way imaginable.