"Remote Procedure Call terminated" problem

[Floid]

Above link looks right.

See:
Slashdot article
SANS article linked from Slashdot
CERT: Patched Win2k still has a denial-of-service vulnerability

Probably be all over the news tonight, anyhow.
Applying the RPC DCOM patch or firewalling TCP port 135 incoming should provide safety from infection by this particular worm; with Win2k, sounds like only the second can avoid potential DoS from hammering of the port.  Once one machine is infected, it can of course spread to other machines on its local segment (cable modem subscribers - enjoy another Code Red)...  Patching with the existing MS patch will not deactivate the payload - for that, you'll have to find the MSBlast.exe file, and delete it and the autorun reference in the registry as placed on a successful infection; quoting SANS:

SOFTWARE\Microsoft\Windows\CurrentVersion\Run, name: 'windows auto update'

(Presumably you can distinguish this from any actual services by reference to the MSBlast.exe file?)

Remember, this information may become obsolete as the code is studied more closely.

[Floid]

Unless it's an Itanium, it's 32-bit.  And no, it's not an Itanium.

Scrolling through the Slashdot thread shows a few related worms taking advantage of the vulnerability, some nastier than the presently-virulent one.  As always, take Slashdot advice with a grain of salt, and Google until you find confirmation from something resembling a reputable source (CERT, SANS, McAffee, Norton, etc.).

As noted in some of the comments, XP has a software firewall that can be thrown up as defense from reinfection while applying the patch and trying to clean up the mess.  If you aren't confident, you may want to find someone more deeply Windows-familiar to deal with the registry editing and associated hair-pulling.

[Floid]

Gotta love Windows.

Here's Symantec's writeup on the second (msmsgri32.exe) worm, for anyone else reading.  They call it W32.Randex.D, with an associated Backdoor.Roxy or Backdoor.Trojan.  (W32/Slanper.worm [McAfee], W32/Slanper-A [Sophos], Worm.Win32.Randex.d [KAV])...

...Since it spreads by testing victim machines' accounts for weak passwords, one could imagine it might be heavy on outgoing traffic.  Via Sophos's writeup and a little bit of knowledge, the NetUserEnum() function mentioned is part of the old Lan Manager function set, running over SMB on port 445 (TCP? UDP?).  I have no idea which services would need disabling to block it without firewalling, but maybe someone else does.

Symantec's removal instructions for Randex seem to take out the backdoor at the same time, but there is a separate page for the Roxy aspect itself.

---

Back on the original thread, names for the RPC worm du-jour seem to be settling out to "Blaster," "MSBlast," or "Lovsan," if you need words to Google for.  The original SANS article has been updated with some links, cleaning utilities, etc.  In fact, may as well put the Symantec Blaster removal tool in a nice bold link for anyone still suffering.

[Floid]

Elektro wrote:
i didnt have any problems... this is all linux propaganda...

Linux propaganda?  Hmmph!

 
 
 :-D

[Floid]

Gibson (of GRC) is sort of a benign loon; he does his best to help the little guy, but there's the bit of the showman to him, and his technical knowledge itself is really only.. middling to average.  Off the top of my head, DSLReports offer some similar tests with more detail and less obfuscation, or you can find a copy of 'nmap' or another portscanner and conduct them yourself (though you'll probably want a remote machine to test from).

Basically, 'closed' would indicate the port returned a TCP reset or reset/ACK pair.  'Stealth,' from Gibson's perspective, seems to indicate the port didn't respond at all - well and good - but you can get the same impression if the packets are lost on their way for whatever reason.  If you're stuck using people's web-based tools, it's good to get a second or third opinion.

Basics of TCP negotiation and 'theories' of portscanning here, or a million other places via Google.  nmap itself is over here, and there's even a Windows version available.

[Floid]

Elektro wrote:
hehe cool pic floid

Real credit goes to whoever on the TenDRA (C-and-other compiler, formerly of the UK DERA, now under an unrestrictive license*) team cooked it up and released it.

More over here, of course the DragonFly project is over there...

---

*No, really, I love the GPL.  It's just that such digs are a good 'evangelism' trick for all the people who don't get that BSD means free as in free, not free as in... hm, OpenLinux?