RPC Service Shutdown Bug

  • Thread starter Thread starter Myles
  • Start date Start date
M

Myles

Sorry to trouble you guys, but tonight a very strange bug
surfaced on my computer.
This probably has nothing to do with it, but I thought
I'd mention it since it came up right before the other
problems. I was on AIM, and someone that I was talking to
just stopped replying. Later, when I rebooted my
computer, she showed me a log, and she had been talkign
to me the whole time but I wasnt receiving her messages.

That aside, I was reading some articles online, when
suddenly I get a message saying my computer will restart
in 60 seconds, because of the unexpected termination of
the Remote Procedure Call Service. It restarted, I logged
back on, and immediately I got a popup asking with which
program I should open TFTP2848. Then, shortly thereafter,
I get the termination message for dcomx.exe. About 3-5
minutes later, I get the RPC shutdown again. I restart
the computer, come back, and it happens one more time.

For now, I got the startup message about TFTP2848, but
nothing since, so I might be ok. I doubt it, however, and
I would really like to know what's up and how I can fix
it regardless. Thanks in advance for any help!
 
i got the same error tonight to but the only thig
different is that my file is called TFTP200... i need
help with this also
 
Damn same here but the file is TFTP2784 I removed the
file but continue to get random reboots! Help!
 
Myles,
The same RPC Service Shutdown happened to me 8-4-03
Pacific time pm.

It won't let me stay open on the internet.
and I desperately need to stay on for 3-4 hours straight

Any help?
 
I've seen a number of people ask this question today, so I hope this is
helpful to someone:

FYI, the presence of the files Dcomx.exe or the other files mentioned below
along with a "Remote Procedure Call" or TFTP popup message on your system
and/or system lockups or reboots are signs you may have been hacked by a
tool such as Autorooter. [TFTP.EXE is a normal file that comes with many
versions of Windows, but it should usually not be running on most systems.]

To fix this, you need a firewall [even a free one such as www.sygate.com or
www.kerio.com], to install all the latest Microsoft service packs and
patches from www.windowsupdate.com, check your firewall logs to see who has
hacked you, and install and run an antivirus with the latest updates that
detects this thing [ www.grisoft.com is free antivirus], or submit sample
files to your antivirus vendor if it does not detect this thing. I do
believe there may be new variants of Autorooter that possibly have not yet
been fully discovered. Unlike an automated event like a worm, this event
may indicate that someone personally ran a tool against you and may have
done things to your computer.

There are a number of posts mentioning a quick "registry fix" to close "port
135." This does very little to secure your computer, as it only closes one
of the 130,000 ports on your computer. Get a firewall first, even a free
one.

Also, note that the presence of new files such as TFTPxxxx or DCOMX.EXE etc.
means that just installing the latest Microsoft patches, editing the
registry, etc. may no longer be sufficient. Installing the Microsoft patch,
editing the registry, closing ports, disabling services, etc. do absolutely
nothing to block the back door that has probably now been installed, so that
your computer can still be compromised using other ports.

You can find out if you are infected with Autorooter or something new that
hasn't been discovered by going to one of the scanner sites below. If
nothing is detected, that's pretty interesting, let us and your antivirus
company know:

http://housecall.antivirus.com [my preference] OR
http://security2.norton.com


Once your computer has been hacked, these are some things I might recommend
doing are here:

http://securityadmin.info/faq.htm#hacked
http://securityadmin.info/faq.htm#re-secure
http://securityadmin.info/faq.htm#harden

This Trojan has been given several different names by various anti-virus
companies:

RPC Worm (F-Secure)
Downloader-DM (McAfee)
Autorooter (Panda)
Worm.Win32.Autorooter (AVP)
Backdoor.IRC.Cirebot (Symantec)

References:

http://www.europe.f-secure.com/v-descs/rpc.shtml
http://vil.nai.com/vil/content/v_100524.htm
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.irc.cirebot
..html
http://news.com.com/2100-1009-5059263.html
http://www.microsoft.com/technet/security/bulletin/MS03-026.asp
http://www.microsoft.com/security/security_bulletins/MS03-026.asp
http://support.microsoft.com/?kbid=823980


Here are some signs of infection, though these do not necessarily match all
the variants that might be out there:

"Signs of infection:
- the existence of one or more of the following files:
rpc.exe
rpctest.exe
tftpd.exe
dcomx.exe
lolx.exe
worm.exe

Signs that a network is being attacked:
- traffic on port 445 to sequential IP addresses.
Signs that an attack has succeeded (allowing a remote shell and downloading
of the backdoor):
- port 57005 open;
- an ftp [tftp] connection on port 69."

I hope this helps. Let us know if you find anything interesting. Thanks to
Susan Bradley for pointing this information out.
 
Back
Top