Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

RPC DCOM Worm On The Loose

simoniker posted more than 11 years ago | from the uh-oh-spaghettios dept.

Windows 604

GPez writes "The first of I'm sure many RPC DCOM worms affecting Windows is on its way, according to the Internet Storm Center. Patch those systems!" According to the site, "The worm uses the RPC DCOM vulnerability [affects Win2k through Server 2003] to propagate. Once it finds a vulnerable system, it will spawn a shell on port 4444 and use it to download the actual worm via tftp."

cancel ×

604 comments

Sorry! There are no comments related to the filter you selected.

Great (5, Funny)

mjmalone (677326) | more than 11 years ago | (#6669245)

The security team at my office has been scrambleing to secure all of our systems before such a worm was developed. I hope they are done!

Will blocking port 135 at the router stop this worm? Seems like a simple solution for the short term. I would like to see the source for the worm, does anybody have it?

Re:Great (0)

Anonymous Coward | more than 11 years ago | (#6669265)

Blocking these ports for ALL inbound connections should be sufficent.

Re:Great (5, Funny)

rylin (688457) | more than 11 years ago | (#6669271)

I have a copy! You can fetch from 212.192.128.76:4444 ;)

Re:Great (2, Funny)

Frymaster (171343) | more than 11 years ago | (#6669299)

in case the above gets slashdotted, the code is:

An error occured while loading http://212.192.128.76:4444:
Could not connect to host 212.192.128.76 (port 4444)

Re:Great (1)

Jellybob (597204) | more than 11 years ago | (#6669488)

Well that would be because it's kept on a tftp server.

Re:Great (0, Troll)

Znonymous Coward (615009) | more than 11 years ago | (#6669385)

I believe the correct like is 207.44.202.162 [www.goat.cx]

Re:Great (3, Funny)

dieMSdie (24109) | more than 11 years ago | (#6669324)

Sure!

Open all your ports and I'll see what I can do!

Re:Great (1)

einhverfr (238914) | more than 11 years ago | (#6669372)


Will blocking port 135 at the router stop this worm? Seems like a simple solution for the short term. I would like to see the source for the worm, does anybody have it?


It will at least slow it down, one hopes.

Also block 4444 since the worm is centrally propagating and uses that port to transmit itself.

Fortunately the virus is easy to remove. However, I don't know what its security ramifications are.

Re:Great (4, Insightful)

ciroknight (601098) | more than 11 years ago | (#6669446)

Yes it will work, I know from experience. My community here in berea has been pretty slammed by this worm, and I've been telling everyone to just firewall off all the ports they dont use. It seems the virus can only connect on ports 135/445 though, so still no worries here. I've been running zonealarm, a great firewall for windows users, to help solve my problem.

Re:Great (0)

Anonymous Coward | more than 11 years ago | (#6669494)

I've been telling everyone to just firewall off all the ports they dont use.

Who leaves open ports they don't use? Are there still people who "close off" specific ports?

Re:Great (0)

cshark (673578) | more than 11 years ago | (#6669466)

Yet another reason to disable terminal services if you don't need it. Isn't this how code red and nimda spread?

On the way? (1)

Anonymous Coward | more than 11 years ago | (#6669261)

It's been hitting efnet for the past week. I've seen plenty of people in lots of channels infected, and it's a pain helping people clean up their systems. This one is a big mess.

OT: is this true? (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#6669263)

anyone know anything about this [bigempire.com] ? i can't find anything anywhere about it.

Linux (0, Insightful)

Anonymous Coward | more than 11 years ago | (#6669264)

If you have Linux, then just ignore this article.

Re:Linux (-1, Flamebait)

Anonymous Coward | more than 11 years ago | (#6669457)

I wish. Those fuckers are eating up my precious bandwidth with their stupidity.

Port 4444 (1, Interesting)

John Hurliman (152784) | more than 11 years ago | (#6669273)

Is it opening a shell on port 4444 or a tftp server?

Re:Port 4444 (3, Informative)

venom600 (527627) | more than 11 years ago | (#6669341)

Both. It is opening a shell on port 4444 and contacting a tftp server (using the shell) to download a file which is the worm code itself.

Re:Port 4444 (5, Informative)

Anonymous Coward | more than 11 years ago | (#6669394)

Shell is on 4444. TFTP is on standard port. Random scanner? SHA-1 of packed worm is BED8E439F28A1A0D3876366CBD76A43CDCCF60FA. It'll lookup windowsupdate.com and flood on the 16th. Filename is msblast.exe, length 6176 bytes. Partial string "to say LOVE YOU SAN!!" appears even in the packed version (UPX 1.22). More detailed stuff to follow...

I have already patched my entire network. (4, Funny)

Znonymous Coward (615009) | more than 11 years ago | (#6669274)

It's called a firewall. It's proteced me from Nimda, Code Red, etc.

Re:I have already patched my entire network. (0)

Anonymous Coward | more than 11 years ago | (#6669327)

until one of your users hits the web version of Nimda, or opens a nicely wormed email...

Firewalls provide little to no security from worms, and absolutely no security for internal attackers [80% of all intrusions].

Re:I have already patched my entire network. (5, Funny)

Anonymous Coward | more than 11 years ago | (#6669359)

It's called Linux. It's protected me from Nimda, Code Red, etc...

Re:I have already patched my entire network. (1)

Sorthum (123064) | more than 11 years ago | (#6669366)

The problem with firewalls is that they tend to be vulnerable to users and their accompanying stupidity.
You need to strike a balance between "locking things up so tightly no one can move" and "giving the users a free hand to do whatever they'd like." Where that balance lies is up to you (hopefully) or management at your company (probably).

Re:I have already patched my entire network. (1)

Znonymous Coward (615009) | more than 11 years ago | (#6669477)

The main problem is if someone gets a worm via email or the web.

Our users are pretty good about avoiding questionable attachemnts (+1 phone call for each). It also helpes to auto update DAT files daily.

I would like to be able to auto update Windows daily as well, but it just dosen't work as well as it needs to (+2 phone calls). M$ could learn a thing or two from swupdate (Mac) and up2date (RedHat).

Re:I have already patched my entire network. (1, Insightful)

Anonymous Coward | more than 11 years ago | (#6669391)

Your fire wall is all very well unitl someone inside your network dials up on a modem or connects an infected laptop. Then you're screwed.

Re:I have already patched my entire network. (5, Insightful)

Anonymous Coward | more than 11 years ago | (#6669398)

I'm afraid you have a false sense of security. A firewall is only part of the solution.

A complete solution includes patching your systems and deploying IDS systems. Still, this is only part of a complete security solution.

Agreed (1, Interesting)

ttyp0 (33384) | more than 11 years ago | (#6669402)

All our desktop computers are Windows, and simply have too many users to try and keep everyone patched. So instead, block all incoming ports on the firewall, and voila. Why this isn't standard practice is beyond me.

Anti SCO T-Shirt [anti-tshirts.com] . $1 donated to OSI Fund on each shirt.

Re:Agreed (1)

irc.goatse.cx troll (593289) | more than 11 years ago | (#6669478)

Thats all fun and good until you factor in user stupidity.

I send you this file to have your advice.

Re:I have already patched my entire network. (1)

Eberlin (570874) | more than 11 years ago | (#6669429)

I actually knew some retard who thought installing a firewall would save him from Code Red...of course the idiot lets in traffic through port 80 (Outlook Web Access on an Exchange Server among other things).

The firewall is only as good as the person managing it. If you've got a soft-and-chewy center, that hard-and-crunchy shell will only hold out for so long.

The retard in question covered up by the equivalent of waving a package of Mentos -- and all was mysteriously "forgiven." A public flogging would have been more appropriate. Ah, corporate politics.

Re:I have already patched my entire network. (4, Funny)

bigjocker (113512) | more than 11 years ago | (#6669436)

I used this patch [mandrakelinux.com] instead in my whole network.

Re:I have already patched my entire network. (5, Funny)

TheGreenLantern (537864) | more than 11 years ago | (#6669450)

While I'm sure this is technically true, some of us are responsible for networks that are slightly more complicated than an XBox, an HP Pavilion downloading porn and bootlegs 24-7, and an old P2 running Suse in our parents basement.

Re:I have already patched my entire network. (1)

Elwood P Dowd (16933) | more than 11 years ago | (#6669462)

Firewalls are great. Virus scanning on email is important too. That still hasn't stopped our users from going to their personal webmail, downloading an attachment, unzipping it, running it, clicking "yes" to install it, and hitting 14 other machines with wormy goodness.

Sure, we never got Code Red. Morons are just as effective.

Re:I have already patched my entire network. (2, Interesting)

Zathrus (232140) | more than 11 years ago | (#6669468)

One of my coworkers thought that as well.

He was monkeying around on his RH8 box, was having network issues and setup the box as DMZ on the firewall. Later he rebooted to Win2k (on the same system, setup for the same IP). His entire network got hit with Slammer because of this. It took him the better part of a week to fix all of his boxes afterwards.

As others have said, a firewall is only part of the solution. Shutting down non-essential services/daemons, keeping up to date on patches, and in general knowing what the hell you're doing are other parts of the solution.

Re:I have already patched my entire network. (1)

bballad (663078) | more than 11 years ago | (#6669499)

I would not want to be on your network when one of these worms is writen to pass in on port 53, or one ofthe other ports you have open by default.

Im safe in windows 98 but preffer linux (1, Troll)

urbieta (212354) | more than 11 years ago | (#6669278)

no need to reboot any time soon for that old windows 98 part since Im a linux junkie by now hehehe

Balmer (2, Funny)

Anonymous Coward | more than 11 years ago | (#6669279)

Developers developers developers..

erm...

security security security... erm ...

um...

somebody get me more cocain!

Re:Balmer (2, Funny)

azzy (86427) | more than 11 years ago | (#6669442)

I think you need some e with that cocain

users being hit hard (5, Informative)

towaz (445789) | more than 11 years ago | (#6669280)

the call centre here is off the scale with people ringing in with rpc problems...
all xp users though

Re:users being hit hard (5, Interesting)

Sorthum (123064) | more than 11 years ago | (#6669396)

Are the calls mostly centered around actual problems, or is it users doing their famous "I heard about the RPC bug, and now my computer won't boot!" routine? When Code Red came out, for instance, we saw everything from bad disks to dialup issues being blamed on it, solely because people didn't listen to anything past "the world is calling" chicken-littleisms.

Re:users being hit hard (0)

Anonymous Coward | more than 11 years ago | (#6669489)

Just met at least two people who had the RPC service go unstable on them, one on XP, one on 2K, forcing recurring reboots. Installing the patch for the hole seems to have fixed the symptoms in at least one of the cases.

Maybe it's a bug or mutation in the exploit code? Or just flooding from so many infected nodes?

Re:users being hit hard (0)

Anonymous Coward | more than 11 years ago | (#6669428)

Same here, all of the 2K shipping system started to get hit about 1300 pst.

Re:users being hit hard (1)

Leomania (137289) | more than 11 years ago | (#6669458)

"The day Microsoft makes something that doesn't suck is probably the day they start making vacuum cleaners."

ROFL... thank you for that! Hadn't heard that one before.

Not that I'm rabid anti-Microsoft or anything, but it made me laugh out loud and I had to explain to my co-workers (not my boss, thankfully) what I was laughing about.

- Leo

Credit... (5, Informative)

chill (34294) | more than 11 years ago | (#6669285)

At least Microsoft was nice enough to credit LSD in the tech note.

Re:Credit... (2, Funny)

Dom2 (838) | more than 11 years ago | (#6669453)

Once again proving that they are doing little more than deriving from Unix:
There are two major products that come out of Berkeley: LSD and UNIX. We don't believe this to be a coincidence.
-- Jeremy S. Anderson

From your local neighbourhood fortune cookie file.

-Dom

this vunerability... (4, Interesting)

garcia (6573) | more than 11 years ago | (#6669286)

if you use this vunerability against someone (usually people that hit your web server with /default.ida) you get access to a C:\ prompt. You can look around, run format, etc.

It's quick to crash the machine (apparently) as the remote becomes unusable (pingable though).

It's actually pretty nasty from what I have seen... I just wonder how effective the worm will be when the machine becomes unresponsive after a few commands?

Perhaps it won't spread as fast as others because of this problem? I suppose we can hope.

Re:this vunerability... (1)

Quasar1999 (520073) | more than 11 years ago | (#6669345)

No problem, I'm sure someone will fix that minor flaw, and cause it to propogate using just one command...

New title suggestion for this story (4, Funny)

Kappelmeister (464986) | more than 11 years ago | (#6669289)

Developers: RPC DCOM Worm On The Loose

Shouldn't that be:

Developers, Developers, Developers, Developers, Developers, Developers, Developers, Developers, DEVELOPERS!, DEVELOPERS!, DEVELOPERS!, DEVELOPERS!, DEVELOPERS!: RPC DCOM Worm On The Loose

Re:New title suggestion for this story (0)

Anonymous Coward | more than 11 years ago | (#6669334)

No. "Developers" is the section this story is classified as. There is no "Developers, Developers, Developers, Developers, Developers, Developers, Developers, Developers, DEVELOPERS!, DEVELOPERS!, DEVELOPERS!, DEVELOPERS!, DEVELOPERS!" section. Asshole.

Been waiting for this (0)

LearningHard (612455) | more than 11 years ago | (#6669293)

After watching all the message traffic on the full-disclosure list about this exploit I knew a worm would be forthcoming. This is a fairly easy to abuse exploit and with all the unpatched systems out there I can only imagine the possible growth this worm might experience.

Wow, my 1st /.ing (1)

LinuxHam (52232) | more than 11 years ago | (#6669296)

I was *just* surfing D-Shield [dshield.org] and was reading a notice about a captured worm. Sure enough, as soon as this article appeared.. the site is DOWN.. that really is something to see, even I get shocked every now and again.

ISP call center is hammered (1, Informative)

Anonymous Coward | more than 11 years ago | (#6669297)

I work at one of the nation largest ISP tech support call centers. Our call volume is going through the roof today.

Re:ISP call center is hammered (0)

Anonymous Coward | more than 11 years ago | (#6669395)

Tell them to go outside with a 2x4 and beat the shit out of themselves for being so fucking stupid

Worse (0)

Anonymous Coward | more than 11 years ago | (#6669413)

I work at a Microsoft call center :-(

Re:Worse (1)

caluml (551744) | more than 11 years ago | (#6669464)

And they don't block access to Slashdot? But it's full of Linux propoganda!

Devastating worm? (-1, Flamebait)

Anonymous Coward | more than 11 years ago | (#6669298)

I almost wish someone would make a worm that destroyed all the data it could. (Write random data to the partition table?) This would a: make people start to patch their systems, and b: wake people up to the fact that Microsoft isn't so great. (I know that all OSes have problems.)
Of course, I don't actually advocate someone making a worm like this - that would be illegal.

Security Advisory (5, Informative)

Blangopolis (695958) | more than 11 years ago | (#6669301)

The security advisory can be found here [secunia.com] .

After reading the advisory, it looks like this one is going to be a bad one. I'm no expert, but I would guess that this thing is going to be around as long as code red was (and I'm still getting code red hits in my logs!)

Re:Security Advisory (0)

Anonymous Coward | more than 11 years ago | (#6669407)

why did you feel the need to post this? The advisory was already in the previous /. post which is contained in the story.

mod down as troll/karma whore.

Windows = Insecurity (0)

scifience (674659) | more than 11 years ago | (#6669303)

And the government thinks Windows is more secure than SuSE Linux? Riiight.

Effects (5, Informative)

Papa Legba (192550) | more than 11 years ago | (#6669320)

This worm is bugged it seems. From XP systems I have seen it throws an error to the screen about RPC services and reboots the system. On Windows 2000 Pro it crashes the svchost and a lot of stuff stops working. Just and FYI for those trying to diagnose systems right this minute.

Cagliostro

Re:Effects (0)

websurf.net (621915) | more than 11 years ago | (#6669382)

Yeah tell me about it. I work at a small ISP, and we have had several calls about this. First time, couldn't figure it, second time I figured it out. What a bugger.

Re:Effects (2, Funny)

PolyDwarf (156355) | more than 11 years ago | (#6669386)

Diagnose their systems this very minute? Screw the systems, there's /. to read!!

Re:Effects (1)

gclef (96311) | more than 11 years ago | (#6669481)

The worm isn't buggy...Windows is. (well, they both have issues, but your machine going down isn't necessarily the worm coder's fault.)

Apparently there are two problems with RPC: one is a DCOM overflow, which this worm is exploiting...the other is a DoS, which shuts RPC down. Once RPC goes down, Windows wants to reboot. Microsoft has not yet offered a patch for the DoS yet, which means this worm is going to suck.

UNC-Chapel Hill South Campus Hit Hard (3, Informative)

Anonymous Coward | more than 11 years ago | (#6669321)


UNC-Chapel Hill South Campus [Medicine, Pharmacy, Nursing, etc] has been slammed by this thing.

The tragic part is that Microsoft posted the patch almost a month ago:

I saw it happen LIVE! (5, Funny)

wondergeek (220755) | more than 11 years ago | (#6669322)

I was working on my parents compter (Windows XP) remotely today when this started happening. I was installing some new software for them and I had also just disabled that stupid Messenger service so they would stop getting those pop-up spam messages.

Anyhow, I had just finished that when XP said it was shutting down in 30 seconds. I was like, WTF!

Here I am thinking that I just screwed up their machine with the new apps somehow.

Thanks a bunch, Billy. Guess they'll be punting this one to Longhorn :)

Exploit (1)

MC68040 (462186) | more than 11 years ago | (#6669323)

Thinking that there has already for some time been a few "non-secret" exploits floating around in the wild for this it was just a matter of time.

So I guess all windows security holes will lead to worms in the future? Maybe they should start calling heavy-load proof networks "worm-load proof" instead? ;)

Incoming!!!!! (1)

dJCL (183345) | more than 11 years ago | (#6669326)

Incoming!!!! Oh, wait a second...

This thing runs using the DCOM-RPC protocol right? I got that port blocked at the firewall, any attempt to touch the port is just ignored.

Of course the patch will help if somehow it gets inside, but still...

I don't trust microsoft for my windows security when on the net... I trust linux.

Re:Incoming!!!!! (0)

Anonymous Coward | more than 11 years ago | (#6669405)

Shoot, man, that's just silly. The only real solution...
Trust OpenBSD [openbsd.org] . :)

old news? (0)

Anonymous Coward | more than 11 years ago | (#6669332)

I downloaded this patch for Windows 2000 then checked my local hotfix directory and found I had already applied this days ago.

So I guess this /. article is about what is happening to those who haven't patched. Kinda like watching the poor sobs fight lions in the gladitorial pits for education.

Virus Worm Out (2, Informative)

Anonymous Coward | more than 11 years ago | (#6669335)

Hello everyone ..

I work for a small ISP ... Seems a worm has been released. We have received a number of calls about peoples systems shutting down with the following error: NT Authority System .. ect ect.

And the computer restarts.. This happens about every 40-60 Seconds making it "almost" impossible to Patch the Computer. Just a heads up for ANY IT Guys out there :)

Free way to test your machine (0)

Anonymous Coward | more than 11 years ago | (#6669337)

http://secur1ty.net/dcom.cgi

Check to see if you're vulnerable.

Increase in TCP 135 Activity (5, Informative)

Anonymous Coward | more than 11 years ago | (#6669339)

This is our number of dropped TCP 135 requests at our border since noon today, per 30 mins, seen on our 2 Class Bs:

57,003 1200 to 1230
75,317 1230
59,321 1300
52,642 1330
130,932 1400
202,996 1430
277,183 1500
247,682 1530
320,919 1600
361,504 1630 to 1700

milspec

go ME! (5, Funny)

StevenHallman76 (455545) | more than 11 years ago | (#6669340)

Affected Software:

* Microsoft Windows NT(R) 4.0
* Microsoft Windows NT 4.0 Terminal Services Edition
* Microsoft Windows 2000
* Microsoft Windows XP
* Microsoft Windows Server(TM) 2003

Not Affected Software:

* Microsoft Windows Millennium Edition


finally! all these years of running Win ME have paid off! so long suckers!

Re:go ME! (0)

Anonymous Coward | more than 11 years ago | (#6669369)

I hope that after its infected a machine, that it formats the hardddrive of the "infecter" machine. Teach all these morons a lession for not even running a single SP or patch. If my webserver gets a Nimda attack, then the machine gets deleted

Re:go ME! (4, Funny)

Sneftel (15416) | more than 11 years ago | (#6669473)

I'm afraid you stopped reading too soon. Here's the bit you missed:

Sucks big fat sweaty donkey balls:

* Microsoft Windows Millennium Edition

OMG (5, Funny)

stephenry (648792) | more than 11 years ago | (#6669352)

OMG! It's not a worm, ITS SKYNET! It's taking over! Make your time, judgement day is nigh!

Re:OMG (0)

Anonymous Coward | more than 11 years ago | (#6669376)

I would think that SkyNET would find a better way to control all the machines on the planet.

Re:OMG (1)

bytesmythe (58644) | more than 11 years ago | (#6669497)

Make your time? You have no chance to survive!

Protection from the virus (3, Funny)

Anonymous Coward | more than 11 years ago | (#6669354)

I've been digging around the web, and I can't seem to find out how to protect myself. I can't seem to find anything that prevents this virus from attacking my linux or as/400 servers. Help!

Erkk (3, Informative)

Anonymous Coward | more than 11 years ago | (#6669358)

Got hit by this earlier today, I'm not normally a slouch with these things but this one really hit me hard, took me 4 restarts to find out what was going on. (As every time I connected to the net I was immediatly given 60 seconds before another auto restart) I can see how non-techies are gonna be totally screwed by this.

All I can say is change the properties of your RPC service repair functions. Start -> Administrative Tools -> Component Services -> Services (local). this will at least give you time to go online and download the MS patch, which we should have done weeks ago I know :)

Re:Erkk (1)

Hiltono (697176) | more than 11 years ago | (#6669448)

Doh! Forgot to login first, new to this whole thing :( Still hope this info helps some of those peeps on a sharp time limit :)

ADSL (0)

Anonymous Coward | more than 11 years ago | (#6669361)

I wonder if this is why most of Sweden's ADSL connections are down ATM :(

Hack the ftp server. (0)

Anonymous Coward | more than 11 years ago | (#6669362)

replace worm.exe with safe.exe or something. Maybe we can even put a linux installer on there and "convert" some to the safe computing world.

Not quite safe: (4, Informative)

Telastyn (206146) | more than 11 years ago | (#6669370)

http://www.kb.cert.org/vuls/id/326746

win2k machines are still vulnerable to a dos; even patched.

Thanks microsoft...

Firewalls ? (1)

Kilka (694154) | more than 11 years ago | (#6669384)

I've heard rumours that China has plenty unpatched machines. Maybe they intend to use the firewall to block those Mongolian RPC invaders!

Helpdesk is worried... (2)

Kismet (13199) | more than 11 years ago | (#6669404)

My JBoss server was listening on port 4444, so I got a call from the IS guys who thought my PC was compromised.

Firewalls *may* not protect you here (5, Insightful)

venom600 (527627) | more than 11 years ago | (#6669414)

Everybody keeps posting that they have this or that port blocked on their firewall, so they're safe. Not so. All it takes is one person inside your network to open the wrong file attachment, or one laptop that went outside the network and then came back in to infect your internal network.

Every worm needs a good name (0)

Anonymous Coward | more than 11 years ago | (#6669435)

I suggest the "Trustworthy Computer"

What's in a name (1)

The_Wizard_-P (692787) | more than 11 years ago | (#6669439)

W32.Blaster.Worm http://www.symantec.com/avcenter/venc/data/w32.bla ster.worm.html

Block the TFTP servers (0)

caluml (551744) | more than 11 years ago | (#6669445)

They'll just block the hosts that it uses to tftp the worm from - that should pretty much put paid to it.

Someone should change the worm to make it reboot the machine - that'll larn 'em :O)

I'm safe (4, Funny)

teamhasnoi (554944) | more than 11 years ago | (#6669455)

I've rolled a saving throw against remote infection and I have +3 Fireproof armor, however I am still vulnerable to hot wood elves.

You did say this was a RPG worm, right?

Windows XP Symptoms (2, Informative)

Titanium Angel (557780) | more than 11 years ago | (#6669459)

It looks like the worm affects svchost.exe (the Generic Host Process), and keeps restarting the computer. At first I thought that some of my hardware was failing, but after reading dozens of posts on Usenet about similar problems, I wasn't really sure. So I researched a bit on Google, and found the MS security bulletin. After patching my system, the problems seem to have gone. I guess I should have followed more closely Microsoft's security announcements.

So, if you have strange issues with the RPC, or are experiencing similar symptoms as I have, patch up now!

It started for me this afternoon (0)

dBLiSS (513375) | more than 11 years ago | (#6669460)

My computer started rebooting itself this afternoon stateing .. "windows must now restart because the Remote Procedure Call (RPC) service terminated unexpectedly"

I figured it was a new worm!

Re:It started for me this afternoon (1)

Sorthum (123064) | more than 11 years ago | (#6669474)

Heh, might wanna check that before automatically assuming...
The one thing that separates the clued from the users is our ability to pull ourselves out of the nosedive.

SP3? (3, Interesting)

poptones (653660) | more than 11 years ago | (#6669465)

Are there really that many win2k systems not even running SP3? That's not the only fix, but I have a box here that has had zero patches except SP3 and DCOM is disabled by default - which pretty much makes this "buffer overflow" a non issue. Doesn't XP also install (by default) DCOM disabled? So where is all this traffic coming from? People too nervous to install SP3? People too stubborn to stop using NT4?

WINE? (2, Funny)

Anonymous Coward | more than 11 years ago | (#6669486)

Does anyone know if WINE supports this worm yet? I would like to test it out but I don't have Windows on my desktop.

Thanks.

Where was this story 3 hours ago? (3, Informative)

Speed Racer (9074) | more than 11 years ago | (#6669493)

A friend of mine called me about 3 hours ago saying that her brand new Windows XP notebook kept rebooting with some strange message about RPC. I had her download the free version of ZoneAlarm [zonelabs.com] and that blocked the worm and let her stay online long enough to download the patch. If you know somebody that's getting hammered, have them give ZoneAlarm a shot.

More diagnoses info (4, Informative)

Papa Legba (192550) | more than 11 years ago | (#6669496)

On XP you are getting two error codes.
The first is a system shutdown window tellign you that the RPC service must be restarted,. This gives you 30 seconds before reboot. Iniated by NT Authority\system. This is a succesful XP infection

The other is Windows cannot open this file:

File: TFTp784

This appears to be an unsuccesful try.

For windows 2000 it crashes svchost trying to get in it appears. Just apply the patch to stop the crashes. It does not appear to get into the system in this case

Hope this helps everyone

Cagliostro

Just a note I liked... (1)

dJCL (183345) | more than 11 years ago | (#6669498)

I just noted something I liked from the article... Just to make things more fun they suspect that it also starts a synflood attack on windowsupdate.com, meaning it is a worm that tries to make it hard to get the patch to fix things... I find that funny, almost as good as the suggestion for a virus/worm to actually _do someting_ damaging to a system to convince people this is not a joke.

Anyway

I work for an ISP.. (0)

mesmartyoudumb (471890) | more than 11 years ago | (#6669501)

And our users are getting POUNDED by this.

"YOU BASTARDS KEEP DISCONNECTING ME!"

I had the worm already today... (2, Informative)

itsmeddc (697175) | more than 11 years ago | (#6669502)

This is my first post - I'm just posting to say, that at about 1:00am today, I already found MSBlast.exe on my computer after a series of RPC errors. I patched using a file you can find in MS database: http://www.microsoft.com/technet/treeview/?url=/te chnet/security/bulletin/MS03-026.asp And after cleansing my computer (and loading up Tiny Firewall 5.0) the problem is fixed. Also a helpful hint in case you need it: If you recieve an RPC error and a countdown is started to shut your computer down, then go to start>run and type "shutdown /a" and that will stop the countdown. Hope this helps someone at least.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>