NT AUTHORITY\SYSTEM RPC EXPLOIT WORM read now!

  • Borrow -A- Geek
  • Professor
  • Professor
  • User avatar
  • Posts: 763
  • Loc: Dallas/Ft Worth, Texas

Post 3+ Months Ago

this is an important notice. as some of you may know iwork tech support for a cable internet provider. today was a living hell here at work, because litterally 10's of thousands of people flooded the call center with this worm that has unleashed its fury on ALL versions of windows, mostly windows XP and window 2000.

i was hit by this thing and it was a bitch to remove. (i didnt remove it my girlfriend actually did while i was stuck at work,(yup she is a guru like me, lol)) but it got taken care of. look for a post below real soon for the removal instructions.

Symptoms:

you get a windows message that says

System Shutdown:
This System is Shutting down. Please save all work in progress and log off. Any unsaved changes will be lost. This shutdown was initiated by the NT AUTHORITY\SYSTEM

TIME BEFORE SHUTDOWN 00:00:60

Message:
Windows must now be restarted because the Remote Procedure Call (RPC) service. terminated unexpectedly

Technical Details
The Remote Procedure Call (RPC) protocol on the Windows operating systems provides a mechanism for a program running on one machine to execute code on another machine. Windows uses the Distributed Component Object Model (DCOM) to help manage communications of Windows components over a network, typically (but not always) the TCP/IP networks used in most environments. The DCOM interface to RPC accepts network connections on TCP port 135, and fails to validate message inputs during the instantiation of DCOM objects. By sending an appropriately malformed RPC message, an attacker can cause a vulnerable machine to execute arbitrary code within the security context of the RPC service, typically the SYSTEM context [1,2].

The researchers who discovered the vulnerability were able to create proof of concept exploits for Windows 2000/XP (running SP4 and SP1 respectively). They were also able to bypass the buffer overflow protections included as part of Windows 2003, and gain SYSTEM privileges there as well.

The vulnerable components of the Windows operating system are installed by default on all versions of Windows, and cannot be disabled without crippling a number of core Windows components.


references:

http://www.microsoft.com/technet/securi ... 03-026.asp

http://lsd-pl.net/special.html

http://www.cnn.com/2003/TECH/internet/0 ... index.html


finding and identifying the problem:

Go and get the patch from here, choose the right version for your system. If
you don't know whether your system is "32 bit" or "64 bit" then its 32 bit.
http://support.microsoft.com/?kbid=823980

Next check your system for unusual processes that may be running. In
particular watch out for:
(NOTE, THIS LIST IS NOT EXCLUSIVE, KEEP AN EYE OUT FOR ANY UNUSUAL ACTIVITY)
MSBlast.exe
rpc.exe
rpctest.exe
dcomx.exe
lolx.exe
worm.exe

Scan with an up-to-date virus scanner to help with removal of nasties that
might be left on your system.
Next, visit http://windowsupdate.microsoft.com and grab hold of all
critical updates. Yes, all of them. Try to make a habit of doing this on a
regular basis. note tht critical updates are mentioned. not the standard updates. critical updates usually fix exploits to your computer that can cause problems by hackers or viruses.
  • Anonymous
  • Bot
  • No Avatar
  • Posts: ?
  • Loc: Ozzuland
  • Status: Online

Post 3+ Months Ago

  • CasTiger
  • Beginner
  • Beginner
  • User avatar
  • Posts: 49
  • Loc: uk

Post 3+ Months Ago

Doh !
:?
I've just posted the same thing as this, before reading what you had to say. Please remove my post !
  • namuko
  • Born
  • Born
  • namuko
  • Posts: 1

Post 3+ Months Ago

helllo there mr.guru. im new to the forums and actually got here while searching on google about this god damn exploit. about this whole ****cking worm, i downloaded and am currently downloading all the possible updates and the patches. now, ive been attacked by the worm a ridiculous amount of times but dont know what the hell to do about it. is there some way i can get rid of it? i dont currently have any antivirus software so im screwed for that part. i might be able to get a hold of norton but until then is there something you suggest? any help would be GREATLY appreciated. thanks a lot mr.guru! -namuko
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23456
  • Loc: Woodbridge VA

Post 3+ Months Ago

Just an FYI

Gadet Guru has been away for abit so I doubt he'll see this. But other's will, so check back for a possible answer. I don't have one or I'd offer it now.
  • ModernDestroyer
  • Professor
  • Professor
  • User avatar
  • Posts: 794
  • Loc: California

Post 3+ Months Ago

well namuko you can download a free anti-virus program called AVG at http://www.grisoft.com , look to the left side of the web page and the free edition, also to keep the virus from shuting down the computer just hit alt + ctrl + del and tell the task manager to stop the process and then you will gain yourself sometime to download the antivirus program and any of the patches you might need. I hope this helps out some
  • Headfoot
  • Novice
  • Novice
  • User avatar
  • Posts: 21

Post 3+ Months Ago

Actually I usually hear this one being called Mblast, you wanna know the unlikely but true fact, He was caught, yup that SOB was caught and got his @$$ thrown in jail. I wish more of these people were caught, it would make life quite a bit easier (for comp junkies like me at least)
:lol:
  • xdf
  • Born
  • Born
  • xdf
  • Posts: 1
  • Loc: Hong Kong

Post 3+ Months Ago

8) - Howdy, theres another virus that does/did the same thing to my computer. its called blaster. Anyway, I fixed it by donloading this "fixer" from symantec. Just fclick this link:

http://securityresponse.symantec.com/av ... .list.html

Then click the win32.blaster.worm link. Ten simply follow the instructions. Hope this helps... :twisted:
  • Beer
  • Born
  • Born
  • Beer
  • Posts: 1

Post 3+ Months Ago

If the problem occurs when I've just installed win xp and I connect for the first time to internet? I've an ABIT main board with VIA Chipset, do you think I can have some kind of problem or it can be related to other things?
  • grinch2171
  • Moderator
  • Genius
  • User avatar
  • Posts: 6805
  • Loc: Martinsburg, WV

Post 3+ Months Ago

Did you connect without a firewall enabled? If so, then yes you are infected. This happened to my friend. He had the blaster and asked me to fix it. He had let it go for so long I couldn't do anything but format and reinstall XP. He was on dial up and never thought about him using a firewall. The next day he comes to me and says it happened again. This time I was able to save him and I installed a firewall for him. He hasn't had a problem since.
  • jfvb1225
  • Graduate
  • Graduate
  • User avatar
  • Posts: 215
  • Loc: Ohio

Post 3+ Months Ago

this problem drove me nuts for several hours while I was re-installing the o/s on a sony viao laptop. Always, always, always either download windows updates through a firewall, or from cd.
  • spyder_tEk
  • Born
  • Born
  • spyder_tEk
  • Posts: 1
  • Loc: KY

Post 3+ Months Ago

I ran all of these, ended up fixing the restart problem, but now, it seems the computer all of the sudden stopped working with the net, my msn, aol, and internet explorer just wont connect to my network now... does anyone have any ideas on what to do now, cause i've ran all kinds of test, restored settings and everything, even unistalled the network card, and it still wont get on the net. showing a 169 ip which is wrong.
  • SomeNewGuy
  • Born
  • Born
  • SomeNewGuy
  • Posts: 1

Post 3+ Months Ago

Yeah that same problem happened to me, and it turned out that I had to reboot my whole computer to fix the problem. I sat at my computer hours on end trying to see if I could fix it, but I had no luck, and through all that hassle even after I rebooted the damn computer it still restarts when I'm online.

At least I can use the internet 'somewhat' now. Unfortunately the ctrl+alt+del does not terminate the shutting down process, (at least for me anyway) and I can not finish the download for the free anti-virus. I am at about 60% complete and maybe I'll get lucky. This virus thing sucks ass!
  • DuckIT
  • Graduate
  • Graduate
  • User avatar
  • Posts: 155
  • Loc: London, UK

Post 3+ Months Ago

Quote:
I ran all of these, ended up fixing the restart problem, but now, it seems the computer all of the sudden stopped working with the net, my msn, aol, and internet explorer just wont connect to my network now... does anyone have any ideas on what to do now, cause i've ran all kinds of test, restored settings and everything, even unistalled the network card, and it still wont get on the net. showing a 169 ip which is wrong.


Neeeeeeeeeed mooooooooore iiiiiiiiiiiinfo!

Is it a router or a dial-up? Network card or USB? Presuming its broadband if your talking about network card? Is it set to DHCP, i.e should you get an IP address automatically? Is the router making the connection?

S
  • Rat
  • Guru
  • Guru
  • User avatar
  • Posts: 1190
  • Loc: desk

Post 3+ Months Ago

grr... i shoulda read this earlier
  • ashley83
  • Born
  • Born
  • ashley83
  • Posts: 1

Post 3+ Months Ago

My computer was infected with the virus tonight, and i've been trying to follow some of the suggestions i've seen around on boards, but i haven't had any luck yet. I just can't stay online long enough to get the downloads, patches and virus updates that i need to get rid of the virus. CTRL/ALT/DEL doesn't work in shutting down the countdown box, and I went through disabling the RSC thing, but that didn't have any effect in letting me stay online long enough to get what i needed.

I'd really appreciate some suggestions on what i could do to get rid of this! Some people have said that they have had to just completly wipe Windows and reinstall. I'd like to use that as a last resort, because i'd have to go somewhere to get backups made of my hard drive (or just lose everything on it). Has anyone found a way to get rid of the virus while battling keeping your internet connection? If I was able to get a firewall up, would that keep the virus from connecting with my computer and shutting it down?

Thanks for any suggestions you could give me!!!
  • DuckIT
  • Graduate
  • Graduate
  • User avatar
  • Posts: 155
  • Loc: London, UK

Post 3+ Months Ago

Go to this page:

http://www.blackviper.com/AskBV/tech10.htm

Print it in its entirety from your machine if possible or a friends / internet cafe etc. Specifically check the 'Second' area for notes on stopping your machine from rebooting. The below command stops it:

shutdown -a

It discusses a way of stopping the auto shutdown from happening thus allowing you to work on it at your leasure.

Also try and get someone to burn you a copy of Zonealarm (free) from Zonelabs.com or any other firewall software. That should allow you to safely browse the net to get fixes etc.

S
  • pratikdhaboo
  • Born
  • Born
  • pratikdhaboo
  • Posts: 1
  • Loc: Jamshedpur, INDIA

Post 3+ Months Ago

All that u can do is wait for the antivirus definitions of next month. But u can have temp. relief if u STOP using IE. Use Netscape 6/Neoplanet/Opera/MSN explorer instead. IE6 has something to do with a file called LSASS.EXE . It updates that file from the internet which in turn spreads the worm if u rnt behind a firewall. Changing ur browser would also allow u to continue using MSN msgr, ICQ , Yahoo Msgr. , MiRC etc. BELIEVE ME.. ive switched to Netscape & MY PROB IS SOLVED.
  • 7h3 cR0w
  • Born
  • Born
  • 7h3 cR0w
  • Posts: 1

Post 3+ Months Ago

Hey, hows it going ashley?
I created thisa ccount here for the soul purpose of answering this question after this I won't be here.. :)

Just cause I like to help Damsels In Distress, and I really am your enemy. Webmasters piss me off. Run some exploits on your servers and you go inform the federals. Panzies.

Anyways, Listen to the solution (I studied this worm, pretty harmless)

OK next time this happens Ashley do this.

Go to Start --> Run--> type: shutdown - a , this should stop the computer from shutting off. Basically its like putting it in Safe Mode.

You can work like this, but you can do what needs to be done.
Go download an antivirus my suggestion is AVG its free.

The site is http://www.grisoft.com. Download that. Wait to activate it. Activate it. Then Restart the computer. And do a scan , or do a scan before restarting. It should fin the bug. After this, go to the Windows Update page. ( Search on google, cause i forgot the link) And update!!!!

Unless of course you have a ilelgal copy of the OS.
In that case....umm your screwed. ? Lol..jks.
If its illegal talk to me on my email : titussoporan@hotmail.com

I don't want to discuss that here.
Well I hoped that help.

-----------------------------------------------

7h3 m@55 pIR@73r

:twisted: the leetness is unbearable :evil:
  • Sharon OConnor
  • Born
  • Born
  • Sharon OConnor
  • Posts: 1
  • Loc: Arkansas

Post 3+ Months Ago

I have been online for about 6 weeks -- so I know absolutely nothing. The NTAUTHORITY\SYSTEM pop-up has been driving me crazy for the last 2 weeks. Unfortunately, yesterday (before I knew this forum existed) I stopped the shutdown cycle -- and now really have problems. Please help me get rid of this RPC Exploit Worm. I have limited knowledge of technical terms, so I need to know in simple language what to do -- I can't even send an email -- says I don't have enough memory. It won't let me get into Microsoft update sites, my Norton Antivirus won't scan now, my firewall is not enabled -- I don't know what to do. I am 60 years old and have no one to help me learn about the internet. Please tell me how to get rid of this. Thank you.
  • WoRd Of WiSdOm
  • Proficient
  • Proficient
  • User avatar
  • Posts: 284
  • Loc: Riverside,California

Post 3+ Months Ago

Type Shutdown -a and that will stop the message that says 60 sec to shutdown
  • Rat
  • Guru
  • Guru
  • User avatar
  • Posts: 1190
  • Loc: desk

Post 3+ Months Ago

it deosnt work on me
  • Keahi234
  • Born
  • Born
  • Keahi234
  • Posts: 1

Post 3+ Months Ago

PLEASE help me!!! I've done everything these ppl are telling me and this worm is STILL HERE!!! Although...it only starts when i try to run Ad-Aware Personal edition 6.0 and it will shutdown.... I've done the dang Registry Edit...nothing there that they said was...Ctrl-Alt-Delete...nothing there...although 3 suspicious items have popped up recently...don't know if this is the same worm WinComm.Exe, WinCtlAd.exe, WinCtlAdAlt.exe and WinLock.Exe this is really annoying me... please help!!!


AOL INSTANT MESSENGER S/N- xxfhspatriotxx
EMAIL-Shadowwolf1262@yahoo.com
Yahoo IM- xxmikevercellixx

Desperate for fix
  • Ragnar78
  • Proficient
  • Proficient
  • Ragnar78
  • Posts: 279

Post 3+ Months Ago

here is a small tip that will give you time to scan your PC and install a firewall (i suggest Zone Alarm and i also suggest you get used to it cause its a bit tough)

When you get the message, just set you time to 4 hours less (yes the clock on the right of the task bar...)

It will give you enough time to scan and clean your PC and also install Zone Alarm (or set the XP firewall is you're using it and have sp2 installed)
  • Vball76
  • Born
  • Born
  • Vball76
  • Posts: 1

Post 3+ Months Ago

I am having the same problem with the shut down. I don't have the virus when I hit cntrl alt del anymore but when I go to use adaware my auto shut down starts. Is there anything I can do. I have tried to download new updates but it says I don't need them and won't download it. then I run my etrust and get trojan viruses constantly. So.... is there anything I can do at this point?

thanks in advance
  • Absynth
  • Beginner
  • Beginner
  • Absynth
  • Posts: 61
  • Loc: mcallen texas

Post 3+ Months Ago

I am experiencing the very same problem and i tried all the suggestions i found here and some other tricks i know, and nothing has worked. the virus is not stopping me from using the internet, however it does bring up the NT AUTHORITY\SYSTEM message and shuts down my computer every time i try to use AdAware. i downloaded the symantec blaster worm fix tool and the first time i ran it it said that it had detected the blaster worm on my computer and then said it has successfully removed and fixed the problem. i also bought and set up norton firewall and renewed my antivirus support. i also ran Search and Destroy by Spybot and nothing has removed it it seems. i have also made sure noone can remotely access my computer, as i saw suggested somewhere.

As i said i am only experiencing this message when i try to run adaware, so far it seems to not have infected any other operations on my machine, and i am all out of ideas. when i run the symantec blaster worm fix tool now it says no worm detected, so i dont know what else to do. Could anyone offer any suggestions for me?

Iam also on a pc that is running XP Professional SP1, so i dont know if that has something to do with it, but when i downloaded sp2 lasrt time it gave me the blue screen of death and ruined my hard drive so i had to replace it. now im scared to download SP2, if anyone knows how i can safely install SP2 on a pretty old machine id like to know how to do that as well(dell told me that SP2 doesnt like some older machines and will make em crash, so thats why im scared to update to SP2)
  • Alkatr0z
  • Mastermind
  • Mastermind
  • Alkatr0z
  • Posts: 1883
  • Loc: Adelaide, Australia

Post 3+ Months Ago

Try following the instructions in this post:
http://www.ozzu.com/ftopic34568.html
Just ignore the part about running Adaware but try SpyBot Search & Destroy.
Create a new topic for the Hijack This log rather than posting it in this topic though, that way this topic won't become full of HJT logs :)

I'm wondering if maybe a piece of spyware is detecting adaware running and shutting down something that isn't supposed to be closed in its own protection. Either that or Adaware has a serious bug in it that is causing it to happen.

The online virus scanners mentioned in that post should remove things like MS Blaster etc as well.
  • socialdwar
  • Born
  • Born
  • socialdwar
  • Posts: 1

Post 3+ Months Ago

disconnect your connection to the net. this seems to stop the worm from executing itself.
  • Meditori
  • Born
  • Born
  • Meditori
  • Posts: 1

Post 3+ Months Ago

Goodness. Didn't read all replies don't hate for me for posting this if its already been posted. Somehow, I've countered this and its 2009!

Anyways, I registered just to give some info about this virus.

If it gives an attempt to shut down your computer.

Go to the start menu > hit run >
type:
shutdown -a
and it stops it. Now that is just for emergencies for like trying to find the patch but it tries to shut you down.

Post Information

  • Total Posts in this topic: 28 posts
  • Users browsing this forum: No registered users and 50 guests
  • You cannot post new topics in this forum
  • You cannot reply to topics in this forum
  • You cannot edit your posts in this forum
  • You cannot delete your posts in this forum
  • You cannot post attachments in this forum
 
 

© 1998-2014. Ozzu® is a registered trademark of Unmelted, LLC.