Exploit details:There is a buffer overrun vulnerability in the RPC service. By default the RPC service listens on port 135 and by sending a special crafted message to this port, then it is possible to execute malicious commands within the context of the RPC service.
The following operating systems has this security hole:
- Windows 2000 SP1, SP2, SP3, SP4
- Windows XP SP1
- Windows 2003
More Info SecurityFocus.com (Exploit Sample Code)
Exploit side effects:The RPC service is vital for the operation of Windows, so when vulnerable to attacks then it might crash and cause Windows to shutdown. One of the following messages are usually shown when the RPC Service crashes:
The result of the attacks is usually that the system becomes infected with a virus, which take control of the CPU and the Internet bandwidth, and it is then used for attacking other machines on the Internet.
This system is shutting down. Please save all work in progress and log off. Any unsaved changes will be lost. This shutdown was initiated by NT AUTHORITY\SYSTEM
Windows must now restart because the Remote Procedure Call (RPC) service terminated unexpectedly.
The computer will be restarted - it has been initiated by the NT authority system because the remote procedure call (RPC service) terminated unexpectedly.
Generic Host Process for Win32 Services has encountered a problem and needs to close. We are sorry for the inconvenience
The program svchost.exe has generated errors and will be closed by Windows. You will have to restart the program
Solution to prevent exploit:
- Consider enabling a firewall to prevent future attacks (Like Windows XP Firewall)
- Download and install the Microsoft patch MS04-012 Cumulative Update for Microsoft RPC/DCOM (828741).
- Download the newest virus database for your existing AntiVira Scanner and scan or use housecall.antivirus.com. (If using WinXP remember to turn off System Restore temporarily)
- Microsoft have created their own Microsoft Windows Malicious Software Removal Tool (Q890830) because newly installed systems are easily infected. (Replaces Q833330)
- McAfee have updated their Stinger to handle the most common infections caused by this exploit
- Symantec have created their own W32.Blaster.Worm Removal Tool
- Check Windows Update to see if there are other critical patches for your system
Note another way to stop the shutting down within 60 secs, is to configure the RPC service to restart automatically:
- Press Start-button and select Run... this command:
- Double click the service Remote Procedure Call (RPC) (Not the Locator)
- Select the Recovery-tab
- Set First Failure, Second Failure, Subsequent Failure to Restart Service
- Press Ok
- Press the Start-button and Run... this command:
- If you are running Windows XP or Windows Server 2003, perform these additional steps:
- Click the Component Services node under Console Root.
- Open the Computers folder.
- For the local computer, right-click My Computer, and then click Properties.
- For a remote computer, right-click Computers folder, point to New, and then click Computer.
- Type the computer name.
- Right-click the computer name, and then click Properties.
- Click the Default Properties tab.
- Clear the Enable Distributed COM on this Computer check box.
- Click Apply button and exit Dcomcnfg.exe
- Restart the operating system for the changes to take effect
Exploiters:More information about the RPC attackers:
- Win32.Autorooter Backdoor.IRC.Cirebot Worm.Win32.Autorooter
- Different security firms have identified the blaster (MSBlast.exe):
- New variants of the Blaster:
- Blaster Killing Worm: W32/Nachi.worm W32.Welchia.Worm
Updated: 21 January 2010