Remote Procedure Call error? DCOMX.EXE, RPC.EXE, RPCTEST.EXE on your computer? Possible hacking.

Discussion in 'Security Software' started by Karl Levinson [x y] mvp, Aug 5, 2003.

  1. I've seen a number of people ask this question today, so I hope this is
    helpful to someone:

    FYI, the presence of the files Dcomx.exe or the other files mentioned below
    along with a "Remote Procedure Call" or TFTP popup message on your system
    are signs you may have been hacked by a tool such as Autorooter. [TFTP.EXE
    is a normal file that comes with many versions of Windows, but it should
    usually not be running on most systems.]

    To fix this, you need a firewall [even a free one such as www.sygate.com or
    www.kerio.com], to install all the latest Microsoft service packs and
    patches from www.windowsupdate.com, check your firewall logs to see who has
    hacked you, and install and run an antivirus with the latest updates that
    detects this thing [ www.grisoft.com is free antivirus], or submit sample
    files to your antivirus vendor if it does not detect this thing. I do
    believe there may be new variants of Autorooter that possibly have not yet
    been fully discovered. Unlike an automated event like a worm, this event
    may indicate that someone personally ran a tool against you and may have
    done things to your computer.

    You can find out if you are infected with Autorooter or something new that
    hasn't been discovered by going to one of the scanner sites below. If
    nothing is detected, that's pretty interesting, let us and your antivirus
    company know:

    http://housecall.antivirus.com [my preference] OR
    http://security2.norton.com


    Once your computer has been hacked, these are some things I might recommend
    doing are here:

    http://securityadmin.info/faq.htm#hacked
    http://securityadmin.info/faq.htm#re-secure
    http://securityadmin.info/faq.htm#harden

    This Trojan has been given several different names by various anti-virus
    companies:

    RPC Worm (F-Secure)
    Downloader-DM (McAfee)
    Autorooter (Panda)
    Worm.Win32.Autorooter (AVP)
    Backdoor.IRC.Cirebot (Symantec)

    References:

    http://www.europe.f-secure.com/v-descs/rpc.shtml
    http://vil.nai.com/vil/content/v_100524.htm
    http://securityresponse.symantec.com/avcenter/venc/data/backdoor.irc.cirebot
    ..html
    http://news.com.com/2100%2D1009%2D5059263.html
    http://www.microsoft.com/technet/security/bulletin/MS03-026.asp
    http://www.microsoft.com/security/security_bulletins/MS03-026.asp
    http://support.microsoft.com/?kbid=823980


    Here are some signs of infection, though these do not necessarily match all
    the variants that might be out there:

    "Signs of infection:
    - the existence of one or more of the following files:
    rpc.exe
    rpctest.exe
    tftpd.exe
    dcomx.exe
    lolx.exe
    worm.exe

    Signs that a network is being attacked:
    - traffic on port 445 to sequential IP addresses.
    Signs that an attack has succeeded (allowing a remote shell and downloading
    of the backdoor):
    - port 57005 open;
    - an ftp [tftp] connection on port 69."

    I hope this helps. Let us know if you find anything interesting. Thanks to
    Susan Bradley for pointing this information out.
     
    Karl Levinson [x y] mvp, Aug 5, 2003
    #1
    1. Advertisements

  2. Karl Levinson [x y] mvp

    John Liebson Guest

    Good job, Susan and Karl!
     
    John Liebson, Aug 5, 2003
    #2
    1. Advertisements

  3. Karl Levinson [x y] mvp

    HarryJMK Guest

    [..]
    If nothing is detected, that's pretty interesting, let us and your antivirus company know:
    [..]

    Hi Karl, great info. As per yr request:

    Done and I am completely clean and completely safe, see report below. How? I've got the free ZoneAlarm v3.7.193 personal firewall installed. Downloadable from www.download.com. At 1 August they've put the newer v3.7.202 on the site, so it's still improving... It's the latest predecessor from the current commercial v4 Pro, see www.powerquest.com for differences. IMHO it's the best personal firewall available, it's the only FW stopping Trojan's from the inside, see http://grc.com . Next to that I'm running Ad-aware v6.0, also very valuable.

    The report below does not recognize McAfee Virusscan v4.5.1 SP1, scan engine v4.2.60, which I have installed, because McAfee is now at a much later version, and the one I've got is not commercial but from my company license. So as to viruses I'm completely safe also.

    Another tip: check MS Plug'nPlay vulnerability, see http://grc.com/UnPnP/UnPnP.htm. It's just waiting to happen...

    Kind regards, Harry


    Security Status: At Risk!
    You are vulnerable to at least one form of security threat.


    = At Risk! = Possible Risk! = Safe



    Hacker Exposure Check Show Details
    Hide Details

    Description:
    Tests your TCP ports for unauthorized Internet connections.

    Analysis:
    Your computer appears safe from most common intrusions. To learn more about the threats you are protected against, view a detailed analysis of your test results.




    Windows Vulnerability Check Show Details
    Hide Details

    Description:
    Tests whether basic information, including your PC's network identity, can be seen by hackers.

    Analysis:
    Your computer's identity is secure. However, this does not mean you are completely safe from all Internet security threats.

    Trojan Horse Check Show Details
    Hide Details

    Description:
    Attempts to test for access to your computer through methods commonly used by Trojan horses.

    Analysis:
    Your computer and data are not vulnerable to Trojan horse attacks. However, Trojan horse threats are constantly evolving, and unless you have a personal firewall and current virus protection, you're not completely safe. To learn more about threats you are protected against, view a detailed analysis of your test results.




    Antivirus Product Check Show Details
    Hide Details

    Description:
    Checks for a current version of a commonly-used virus protection product.

    Analysis:
    WARNING! No known virus protection software found. This means your computer and data are vulnerable to virus attacks. Virus attacks can have serious consequences, including system damage and data loss.

    Recommendation:
    Install the latest version of a commonly-used virus protection product.
     
    HarryJMK, Aug 6, 2003
    #3
  4. Thanks for the helpful information.

    One small thought... www.grc.com is a helpful site, but there is some
    misinformation there, and their Shields Up scan is helpful but not very
    thorough. I personally disagree with GRC that Zone Alarm is the best
    firewall for everyone, since rating firewalls based solely on ONE feature of
    them is not necessarily the best way to do it. I think Sygate and other
    firewalls now do the same thing Zone Alarm does. Just my two cents.


    [..]
    If nothing is detected, that's pretty interesting, let us and your antivirus
    company know:
    [..]

    Hi Karl, great info. As per yr request:

    Done and I am completely clean and completely safe, see report below. How?
    I've got the free ZoneAlarm v3.7.193 personal firewall installed.
    Downloadable from www.download.com. At 1 August they've put the newer
    v3.7.202 on the site, so it's still improving... It's the latest predecessor
    from the current commercial v4 Pro, see www.powerquest.com for differences.
    IMHO it's the best personal firewall available, it's the only FW stopping
    Trojan's from the inside, see http://grc.com . Next to that I'm running
    Ad-aware v6.0, also very valuable.

    The report below does not recognize McAfee Virusscan v4.5.1 SP1, scan engine
    v4.2.60, which I have installed, because McAfee is now at a much later
    version, and the one I've got is not commercial but from my company license.
    So as to viruses I'm completely safe also.

    Another tip: check MS Plug'nPlay vulnerability, see
    http://grc.com/UnPnP/UnPnP.htm. It's just waiting to happen...

    Kind regards, Harry


    Security Status: At Risk!
    You are vulnerable to at least one form of security threat.


    = At Risk! = Possible Risk! = Safe



    Hacker Exposure Check Show Details
    Hide Details

    Description:
    Tests your TCP ports for unauthorized Internet connections.
    Analysis:
    Your computer appears safe from most common intrusions. To learn more about
    the threats you are protected against, view a detailed analysis of your test
    results.



    Windows Vulnerability Check Show Details
    Hide Details

    Description:
    Tests whether basic information, including your PC's network identity, can
    be seen by hackers.
    Analysis:
    Your computer's identity is secure. However, this does not mean you are
    completely safe from all Internet security threats.
    Trojan Horse Check Show Details
    Hide Details

    Description:
    Attempts to test for access to your computer through methods commonly used
    by Trojan horses.
    Analysis:
    Your computer and data are not vulnerable to Trojan horse attacks. However,
    Trojan horse threats are constantly evolving, and unless you have a personal
    firewall and current virus protection, you're not completely safe. To learn
    more about threats you are protected against, view a detailed analysis of
    your test results.



    Antivirus Product Check Show Details
    Hide Details

    Description:
    Checks for a current version of a commonly-used virus protection product.
    Analysis:
    WARNING! No known virus protection software found. This means your computer
    and data are vulnerable to virus attacks. Virus attacks can have serious
    consequences, including system damage and data loss.

    Recommendation:
    Install the latest version of a commonly-used virus protection product.
     
    Karl Levinson [x y] mvp, Aug 6, 2003
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.