Windows RPC Error: Alert and Fix

Factual Questions
1

There have been wide spread attacks caused by the W32.Blaster.Worm in the last few hours. This alert is to inform you of the worm and to offer you resources to patch the exploit on your system or to repair it if you have already been struck.

One of our members, Alereon, has very kindly put together the following:

==========

Subject: Critical Windows Remote Procedure Call Exploit: Protecting and Repairing Your Computer

A new Critical Exploit for Microsoft Windows allows a remote user to gain administrator access on your computer. If you are exploited in this manner, an “NT AUTHORITY” error window will pop up, saying that the Remote Procedure Call service has terminated. Your computer will shutdown 60 seconds after this error displays.

YOU are vulnerable if:
-You are running Microsoft Windows NT [4.0+)
-You are running Microsoft Windows 2000 [All versions]
-You are running Microsoft Windows XP [All versions]
-You are running Microsoft Windows Server 2003 [All versions]

Microsoft Windows 95, 98, 98SE, and ME are not vulnerable.

Using this vulnerability, a remote user can install viruses or trojans of their choice, view or delete your files, install file servers on your computer hosting illegal content including but not limited to child pornography or pirated software, capture your passwords and credit card details, and use your computer to attack other systems.

To abort a shutdown in progress: Go to start, run, and type in “shutdown /a”, without the quotes, and press Enter.

To fix this Critical Exploit:

Go to http://www.microsoft.com/technet/security/bulletin/MS03-026.asp and download the patch for your operating system. If you are running Windows XP, you have the 32-bit version, not the 64-bit version. If you have firewall software or a router, you should block access to port 135 for all computers.

To remove viruses or trojans:

The msblaster.exe worm is the most common infection. After you have installed the patch for this exploit from microsoft, go to Start, run, and type in “msconfig”, without quotes, and press Enter. Go to the startup tab and UNCHECK “msblaster.exe”. Restart the computer, and enter Safe mode by pressing the F8 key before the “starting windows” screen appears. A startup menu will appear, choose Safe Mode. Once there, delete msblaster.exe.

WARNING: msblaster is only one of many viruses or trojans that could have been installed. Just because you do not find or successfully remove it, do not assume that your computer is safe. File servers hosting illegal content, keyloggers, or other viruses may still remain. Virus scanners may not detect such infections.

For more information:

Please see the Microsoft Technet article, available at:

Note: Futzing around in msconfig and deleting files in safe mode can be dangerous. If you don’t know what you’re doing, please contact a professional. Neither the author of this post nor the Chicago Reader shall be held liable for damage resulting from errors or omissions in this post.

Alereon
Operator, United Networks #help on EFnet

==========

One of our moderators, David B, adds:

==========

Here are a couple more links with info. Symantec just upgraded this virus in
terms of severity:

People can find out more about this at http://zdnet.com.com/2100-1105_2-5062524.html

From there, you can click on the “reader resources” link near to the right
of the second paragraph.

David B

==========

You may discuss further fixes, patches and resources in this thread. Please keep general discussion about the attack outside of this thread.

2

I dont quite know if this question should go in this thread, but I’ll ask it here anyway.

My Dad noticed the problem with our computer last night when he kept getting the RPC termination screen when he was online.

I did a virus scan and found that “Exploit-DcomRpc” had infected two system files; “c:\windows\system32 ftp3184” and “c:\windows\system32 ftp3200”.

Does anyone know if these files are actually important for the system, and were infected by the trojan, or are they files created by the virus?

When I deleted them, I got several problems with getting locked out of my workstation. I assumed that my action was a little hasty, and I re-installed XP totally, which seemed to fix the problem.

If only I’d been able to read the SDMB, I’dve found out sooner that I needn’t have necessarily reinstalled the OS. I’m currently downloading the patch for XP to avoid this security flaw in the meantime.

This, however, due to my currently sluggish connection, is taking a loooong time. If during this time the same, or another hacker takes advantage of this flaw, what am I to do if more files are infected with the trojan?

I’m just wary of getting caught into the vicious circle of deleting some important files and having to (re-)re-install XP, and therefore having to download the patch again.

Hmm, I’ve been trying to call Microsoft UK’s technical help all morning to no avail, and I can’t access their webpage for very long before the RPC termination box comes up, so I can’t work out whether these files are important or not.

Can anyone please tell me if I can afford to delete them if the same happens again?

Sorry if I’ve put this in the improper thread, but I want to find out so I dont have to re-install for a few hours again, using up time which I will never get back!

Cheers, Harry

3

I was about to ask aGQ on just this. Thanks, Alaeron, xash, and David B!!

4

The Blaster worm is installing a FTP server in order to do its work. From News.Com:

The files you notices are part of the Trivial FTP server. Unless you have installed TFTP intentionally, these are likely part of Blaster or some other worm/virus/malware.

5

I haven’t installed TFTP intentionally, so thankfully I wasn’t vandalising my 'puter when I deleted the files under my ‘zero-tolerance’ policy towards viruses.

Thanks for your help, paperbackwriter, t’was needed since I’ve only just regained total control of my computer, after installing the patch. I was previously limited to surfing in 3/4-minute bursts before the RPC termination box showed itself and stopped me, so my humble googling skills wouldn’t have been able to conjour up the answer in this time limit!

Hmm, I’ve got to change all my passwords now, just incase, which means that my head is quite likely to explode/implode (not quite sure which) from the strain of learning them!

Thanks all, hope no-one is seriously affected by this security flaw.

Harry

6

From the McAfee side of the anti-virus world, here’s their primary page dealing with it: http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100547. It appears that their server is a bit overloaded at the moment, however, so you might not be able to get to it.

They also provide a small executable that you can fit on a floppy, take to an infected machine, and zap the virus: http://vil.nai.com/vil/stinger/

7

msconfig does not work in Windows 2000. One great place to look for manual removal instructions is http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MSBLAST.A

If you look a little way down that page it will have Manual Removal Instructions. This is also a great site to look at for info whenever you have questions about a virus, whether trying to find removal instructions or even just finding out if its a hoax or not.

I must commend Alereon for putting together this write up and SDMB for making it sticky. I stopped in here earlier this afternoon to see what was going on and was shocked to see a thread telling people to format their drives to clean this virus. I didn’t make it through the whole 2 page thread because duty called and I had to get back to work (I am an admin but we were patched) but I was hoping someone was getting through to these people before they formated and lost data.

I hope this will make a few people take those critical updates from MS more seriously.

8

My friend’s computer and mine have both been hit by this attack, and now we get crashes in IEXPLORE.EXE when starting Windows XP. I assume this is the work of a trojan that the worm installed… any idea which one, and how to remove it?

9

OK, I removed the file {windows}\system32\iexplore.exe and the registry value under HLKM\Software\Microsoft\Windows\CurrentVersion\Run that referred to it. The file was about 40k and had no icon; the real Internet Explorer is located under Program Files.

10

Thank God for you Aelereon and David B and everyone for your information! I installed the msn patch Monday, but when I just now went to Task Manager I found the damn thing still running. The trendmicro link was a big help as well, DiLLiGaf.

Thanks!

Quasi

11

Is anyone else having trouble with the XP patch? Whenever I try to run it, I get an error that reads:

Cryptographic services is indeed running, as I’ve confirmed from both the command line and through the Services control panel.

I am using the correct XP patch. (That is, 32 bit and not 64 bit.)

This occurs on both XP Home and XP Professional.

Does anyone know what’s wrong?

12

I’m running Windows 98; does this mean I don’t have to worry about the worm at all?

13

That is correct, but go out to www.windowsupdate.com and download all the patches and updates for your system anyway. It won’t hurt, and you will be one up on the next one if it does affect 98.

14

Also if your not running a personal firewall then its not a bad time to look into getting one. www.zonelabs.com has a great free one in case you haven’t heard of it already. I am still getting about 1 hit per minute on port 135 from this virus, but the free firewall is stopping it from getting through.

15

Yeah, I had this happen on one of the systems I serviced today. Any info would be appreciated.

16

Right, all sorted now, finally re-installed everything that I needed to after my rather-hasty OS re-installation.

I want to thank Alereon for gathering the details of Windows’ Critical Exploit, David B for gathering the virus info, and xash for bringing all this information together on the always-faithful SDMB.

Cheers, paperbackwriter for helping me sort out the TFTP files on my 'puter.

Anyone who’s still trying to sort out the problems, then I wish you the best of luck in getting rid of the virus and sorting out the flaw.

17

Ok, I checked a few newgroups and managed to solve my problem. It appears that it is caused by a corrupted file(s) the Catroot2 subfolder of the System32 folder.

The suggested workaround (which worked successfully for me):

  1. First, stop the Cryptographic services.
  2. Rename the C:\Windows\System32\Catroot2 (or C:\WINNT\System32\Catroot2) to Oldroot2
  3. Restart Cryptographic services and install the patch.

(I had to stop a few other services in order to be allowed to rename the folder.)

This worked for me, and I did not notice any obvious side effects.

18

Thanks, BlackKnight, I will give that a try.

19

I’m a Linux user, but as the office “Computer Guy” I’m starting to get questions about it on coworker’s home computers.

I’m not lauging at them, I swear.

Anyway, I figured I’d try an collect all the various removal tools for various OSes, put them on a CD-R, and burn a dozen copies or so to bring to work with me tomorrow and hand out.

Before I go hunting and downloading all these files, though, is there anything like a comprehensive list of links available? Or has anybody put togther a zip file or something?

BTW, I just sent this thread to one of the aforementioned coworkers. Hi Wanda!

20

In preparation for the DDoS attack from the Blaster worm and its variants, Microsoft has shut down their external websites, including Windows Update.

Users wishing to obtain the patch and fixes for the blaster worm can try the following website - - -