NT AUTHORITY\SYSTEM RPC EXPLOIT WORM read now!

August 11th, 2003, 9:19 pm

this is an important notice. as some of you may know iwork tech support for a cable internet provider. today was a living hell here at work, because litterally 10's of thousands of people flooded the call center with this worm that has unleashed its fury on ALL versions of windows, mostly windows XP and window 2000.

i was hit by this thing and it was a bitch to remove. (i didnt remove it my girlfriend actually did while i was stuck at work,(yup she is a guru like me, lol)) but it got taken care of. look for a post below real soon for the removal instructions.

Symptoms:

you get a windows message that says

System Shutdown:
This System is Shutting down. Please save all work in progress and log off. Any unsaved changes will be lost. This shutdown was initiated by the NT AUTHORITY\SYSTEM

TIME BEFORE SHUTDOWN 00:00:60

Message:
Windows must now be restarted because the Remote Procedure Call (RPC) service. terminated unexpectedly

Technical Details
The Remote Procedure Call (RPC) protocol on the Windows operating systems provides a mechanism for a program running on one machine to execute code on another machine. Windows uses the Distributed Component Object Model (DCOM) to help manage communications of Windows components over a network, typically (but not always) the TCP/IP networks used in most environments. The DCOM interface to RPC accepts network connections on TCP port 135, and fails to validate message inputs during the instantiation of DCOM objects. By sending an appropriately malformed RPC message, an attacker can cause a vulnerable machine to execute arbitrary code within the security context of the RPC service, typically the SYSTEM context [1,2].

The researchers who discovered the vulnerability were able to create proof of concept exploits for Windows 2000/XP (running SP4 and SP1 respectively). They were also able to bypass the buffer overflow protections included as part of Windows 2003, and gain SYSTEM privileges there as well.

The vulnerable components of the Windows operating system are installed by default on all versions of Windows, and cannot be disabled without crippling a number of core Windows components.


references:

http://www.microsoft.com/technet/securi ... 03-026.asp

http://lsd-pl.net/special.html

http://www.cnn.com/2003/TECH/internet/0 ... index.html


finding and identifying the problem:

Go and get the patch from here, choose the right version for your system. If
you don't know whether your system is "32 bit" or "64 bit" then its 32 bit.
http://support.microsoft.com/?kbid=823980

Next check your system for unusual processes that may be running. In
particular watch out for:
(NOTE, THIS LIST IS NOT EXCLUSIVE, KEEP AN EYE OUT FOR ANY UNUSUAL ACTIVITY)
MSBlast.exe
rpc.exe
rpctest.exe
dcomx.exe
lolx.exe
worm.exe

Scan with an up-to-date virus scanner to help with removal of nasties that
might be left on your system.
Next, visit http://windowsupdate.microsoft.com and grab hold of all
critical updates. Yes, all of them. Try to make a habit of doing this on a
regular basis. note tht critical updates are mentioned. not the standard updates. critical updates usually fix exploits to your computer that can cause problems by hackers or viruses.

August 12th, 2003, 7:01 pm

Doh !

I've just posted the same thing as this, before reading what you had to say. Please remove my post !

December 15th, 2003, 4:23 pm

helllo there mr.guru. im new to the forums and actually got here while searching on google about this god damn exploit. about this whole ****cking worm, i downloaded and am currently downloading all the possible updates and the patches. now, ive been attacked by the worm a ridiculous amount of times but dont know what the hell to do about it. is there some way i can get rid of it? i dont currently have any antivirus software so im screwed for that part. i might be able to get a hold of norton but until then is there something you suggest? any help would be GREATLY appreciated. thanks a lot mr.guru! -namuko

[ATNO/TW]

December 16th, 2003, 10:37 pm

Just an FYI

Gadet Guru has been away for abit so I doubt he'll see this. But other's will, so check back for a possible answer. I don't have one or I'd offer it now.

December 17th, 2003, 10:52 pm

well namuko you can download a free anti-virus program called AVG at http://www.grisoft.com , look to the left side of the web page and the free edition, also to keep the virus from shuting down the computer just hit alt + ctrl + del and tell the task manager to stop the process and then you will gain yourself sometime to download the antivirus program and any of the patches you might need. I hope this helps out some

January 3rd, 2004, 3:47 pm

Actually I usually hear this one being called Mblast, you wanna know the unlikely but true fact, He was caught, yup that SOB was caught and got his @$$ thrown in jail. I wish more of these people were caught, it would make life quite a bit easier (for comp junkies like me at least)

February 14th, 2004, 2:04 am

- Howdy, theres another virus that does/did the same thing to my computer. its called blaster. Anyway, I fixed it by donloading this "fixer" from symantec. Just fclick this link:

http://securityresponse.symantec.com/av ... .list.html

Then click the win32.blaster.worm link. Ten simply follow the instructions. Hope this helps...

March 2nd, 2004, 1:59 am

If the problem occurs when I've just installed win xp and I connect for the first time to internet? I've an ABIT main board with VIA Chipset, do you think I can have some kind of problem or it can be related to other things?

[grinch2171]

March 2nd, 2004, 7:02 am

Did you connect without a firewall enabled? If so, then yes you are infected. This happened to my friend. He had the blaster and asked me to fix it. He had let it go for so long I couldn't do anything but format and reinstall XP. He was on dial up and never thought about him using a firewall. The next day he comes to me and says it happened again. This time I was able to save him and I installed a firewall for him. He hasn't had a problem since.

March 8th, 2004, 5:35 pm

this problem drove me nuts for several hours while I was re-installing the o/s on a sony viao laptop. Always, always, always either download windows updates through a firewall, or from cd.

May 2nd, 2004, 3:04 pm

I ran all of these, ended up fixing the restart problem, but now, it seems the computer all of the sudden stopped working with the net, my msn, aol, and internet explorer just wont connect to my network now... does anyone have any ideas on what to do now, cause i've ran all kinds of test, restored settings and everything, even unistalled the network card, and it still wont get on the net. showing a 169 ip which is wrong.

May 7th, 2004, 12:55 am

Yeah that same problem happened to me, and it turned out that I had to reboot my whole computer to fix the problem. I sat at my computer hours on end trying to see if I could fix it, but I had no luck, and through all that hassle even after I rebooted the damn computer it still restarts when I'm online.

At least I can use the internet 'somewhat' now. Unfortunately the ctrl+alt+del does not terminate the shutting down process, (at least for me anyway) and I can not finish the download for the free anti-virus. I am at about 60% complete and maybe I'll get lucky. This virus thing sucks ass!

May 7th, 2004, 2:46 am

Quote:

I ran all of these, ended up fixing the restart problem, but now, it seems the computer all of the sudden stopped working with the net, my msn, aol, and internet explorer just wont connect to my network now... does anyone have any ideas on what to do now, cause i've ran all kinds of test, restored settings and everything, even unistalled the network card, and it still wont get on the net. showing a 169 ip which is wrong.

Neeeeeeeeeed mooooooooore iiiiiiiiiiiinfo!

Is it a router or a dial-up? Network card or USB? Presuming its broadband if your talking about network card? Is it set to DHCP, i.e should you get an IP address automatically? Is the router making the connection?

S

May 11th, 2004, 11:53 am

grr... i shoulda read this earlier

May 21st, 2004, 7:47 pm

My computer was infected with the virus tonight, and i've been trying to follow some of the suggestions i've seen around on boards, but i haven't had any luck yet. I just can't stay online long enough to get the downloads, patches and virus updates that i need to get rid of the virus. CTRL/ALT/DEL doesn't work in shutting down the countdown box, and I went through disabling the RSC thing, but that didn't have any effect in letting me stay online long enough to get what i needed.

I'd really appreciate some suggestions on what i could do to get rid of this! Some people have said that they have had to just completly wipe Windows and reinstall. I'd like to use that as a last resort, because i'd have to go somewhere to get backups made of my hard drive (or just lose everything on it). Has anyone found a way to get rid of the virus while battling keeping your internet connection? If I was able to get a firewall up, would that keep the virus from connecting with my computer and shutting it down?

Thanks for any suggestions you could give me!!!