Welcome, Guest. Please login or register.
Amiga Kit Amiga Store Hollywood MAL AMIStore App Store A600 Memory

AuthorTopic: "Remote Procedure Call terminated" problem  (Read 3363 times)

0 Members and 1 Guest are viewing this topic.

Offline Blomberg

Re: "Remote Procedure Call terminated" problem
« Reply #15 on: August 12, 2003, 01:35:11 AM »
Another filename to keep an eye out for is msmsgri32.exe

I just found that on my sister's computer as i was setting it up for her new adsl connection, it was causing a lot of 'red' traffic in the outgoing direction.

Didn't think it was related to this attack until Vincent here found the exact same one, i repeat: msmsgri32.exe - get rid of it  :-)

Offline Vincent

Re: "Remote Procedure Call terminated" problem
« Reply #16 on: August 12, 2003, 01:39:48 AM »
To further what Blomberg's said, use msconfig to disable it (under startup) and clean the registry - there's one entry for it.

It's in something like:

Local machine:software\microsoft\shared tools\ msconfig\startupreg\mssyslanhelper

edit: if you have Win2k, try to find someone with WinXP and copy their msconfig - it works on Win2k aswell :-)
Xbox360
"Oh no. Everytime you turn up something monumental and terrible happens.
I don\'t think I have the stomach for it." - Raziel
 

Offline Blomberg

Re: "Remote Procedure Call terminated" problem
« Reply #17 on: August 12, 2003, 01:44:19 AM »
Quote

Vincent wrote:
edit: if you have Win2k, try to find someone with WinXP and copy their msconfig - it works on Win2k aswell :-)
Arr arr and a barrel of rum!  :-D

Offline Vincent

Re: "Remote Procedure Call terminated" problem
« Reply #18 on: August 12, 2003, 02:20:20 AM »
It wasn't until about 0:30ish that I discovered that I had actually been infected with this virus aswell.  I had the msmsgri32.exe file.

Thankfully it didn't "work" on my setup.  Now I know first hand how to get rid of it and close the ports I'll be able to easily do it on my cousin's CP setup :-D

I'm not promoting this hacker in anyway, but I do agree with his message:

Quote
"billy gates why do you make this possible? Stop making money and fix your software!"


Too true! :-D
Xbox360
"Oh no. Everytime you turn up something monumental and terrible happens.
I don\'t think I have the stomach for it." - Raziel
 

Offline Floid

Re: "Remote Procedure Call terminated" problem
« Reply #19 on: August 12, 2003, 12:26:30 PM »
Gotta love Windows.

Here's Symantec's writeup on the second (msmsgri32.exe) worm, for anyone else reading.  They call it W32.Randex.D, with an associated Backdoor.Roxy or Backdoor.Trojan.  (W32/Slanper.worm [McAfee], W32/Slanper-A [Sophos], Worm.Win32.Randex.d [KAV])...

...Since it spreads by testing victim machines' accounts for weak passwords, one could imagine it might be heavy on outgoing traffic.  Via Sophos's writeup and a little bit of knowledge, the NetUserEnum() function mentioned is part of the old Lan Manager function set, running over SMB on port 445 (TCP? UDP?).  I have no idea which services would need disabling to block it without firewalling, but maybe someone else does.

Symantec's removal instructions for Randex seem to take out the backdoor at the same time, but there is a separate page for the Roxy aspect itself.

---

Back on the original thread, names for the RPC worm du-jour seem to be settling out to "Blaster," "MSBlast," or "Lovsan," if you need words to Google for.  The original SANS article has been updated with some links, cleaning utilities, etc.  In fact, may as well put the Symantec Blaster removal tool in a nice bold link for anyone still suffering.
 

Offline Kees

Re: "Remote Procedure Call terminated" problem
« Reply #20 on: August 12, 2003, 12:29:24 PM »
It got to me too ... grrrr

I just hope i have time enough to download and install it before this thing shuts down my computer.
Kees Witteveen
Amiga.org

** Cool Signature **
 

Offline Elektro

Re: "Remote Procedure Call terminated" problem
« Reply #21 on: August 12, 2003, 12:46:24 PM »
Vince, you put this into 'alternative operating systems'?!!

 :-P
#amiga.org @ irc.synirc.net
 

Offline bhoggett

Re: "Remote Procedure Call terminated" problem
« Reply #22 on: August 12, 2003, 12:56:44 PM »
@Kees

Put up the firewall and this will give you the time you need.

My server was under heavy attack until I did this. The trouble I have now is that I can't locate any of the worms mentioned. The registry is clean, and the files mentioned aren't on my system either.

Grrrr...
Bill Hoggett
 

Offline mikeymike

Re: "Remote Procedure Call terminated" problem
« Reply #23 on: August 12, 2003, 12:57:05 PM »
There are quite a few steps needed to secure RPC and Windows filesharing services, so I can't just quote a particular step, but my install guide for win2k might help:

win2k install guide

I've not installed XP from scratch before, but XP is similiar enough to Win2k.

Offline jd997uk

Re: "Remote Procedure Call terminated" problem
« Reply #24 on: August 12, 2003, 01:02:15 PM »
Quote
It got to me too ... grrrr


How? I treat [color=FF0000]ALL[/color][/b] e-mails with attatchments with suspicion. Even when they are from someone I know.

I always run behind one of these as well as running ZoneAlarm. Virii are kept in check with AVG.
With near-weekly incidents like these, it's impossible to not get paranoid running a Winbox that's connected to the net.

-john
Don\\\'t panic - bite the towel.
 

Offline mikeymike

Re: "Remote Procedure Call terminated" problem
« Reply #25 on: August 12, 2003, 01:06:00 PM »
AFAIK there's a worm that propagates via insecure RPC as well as via email.

Offline Elektro

Re: "Remote Procedure Call terminated" problem
« Reply #26 on: August 12, 2003, 01:10:05 PM »
i didnt have any problems... this is all linux propaganda...








lol
#amiga.org @ irc.synirc.net
 

Offline Vincent

Re: "Remote Procedure Call terminated" problem
« Reply #27 on: August 12, 2003, 01:17:38 PM »
Xbox360
"Oh no. Everytime you turn up something monumental and terrible happens.
I don\'t think I have the stomach for it." - Raziel
 

Offline Piru

  • \' union select name,pwd--
  • Hero Member
  • *****
  • Join Date: Aug 2002
  • Posts: 6946
  • Total likes: 0
    • http://www.iki.fi/sintonen/
Re: "Remote Procedure Call terminated" problem
« Reply #28 on: August 12, 2003, 01:17:46 PM »
Quote
I wonder how it got on my machine since I use Norton and it is up to date.

1) It's not a virus in the traditional sense.
2) Norton or any other virus killer has no way of stopping new viruses and worms. The virus/worm need to be captured, analyzed and finally detection and removal code written for it. This is very specialized handwork and cannot be made automatic, so it takes time.

With the today's fast spreading distributed worms and exploitable windows holes it's almost impossible to get generic solutions against such things. If you want to be safe, get rid of Windows. Or at least run real firewall (NO, windows built-in firewall is no solution here).

One upto-date hardware firewall or a linux/bsd box routing all traffic should be enough to stop 99% of the baddies.
 

Offline mikeymike

Re: "Remote Procedure Call terminated" problem
« Reply #29 on: August 12, 2003, 01:40:28 PM »
Quote
1) It's not a virus in the traditional sense.
2) Norton or any other virus killer has no way of stopping new viruses and worms. The virus/worm need to be captured, analyzed and finally detection and removal code written for it. This is very specialized handwork and cannot be made automatic, so it takes time.


Oh no, please let's not start one of those discussions :-)