K
Karl Levinson [x y] mvp
I've seen a number of people ask this question today, so I hope this is
helpful to someone:
FYI, the presence of the files Dcomx.exe or the other files mentioned below
along with a "Remote Procedure Call" or TFTP popup message on your system
are signs you may have been hacked by a tool such as Autorooter. [TFTP.EXE
is a normal file that comes with many versions of Windows, but it should
usually not be running on most systems.]
To fix this, you need a firewall [even a free one such as www.sygate.com or
www.kerio.com], to install all the latest Microsoft service packs and
patches from www.windowsupdate.com, check your firewall logs to see who has
hacked you, and install and run an antivirus with the latest updates that
detects this thing [ www.grisoft.com is free antivirus], or submit sample
files to your antivirus vendor if it does not detect this thing. I do
believe there may be new variants of Autorooter that possibly have not yet
been fully discovered. Unlike an automated event like a worm, this event
may indicate that someone personally ran a tool against you and may have
done things to your computer.
You can find out if you are infected with Autorooter or something new that
hasn't been discovered by going to one of the scanner sites below. If
nothing is detected, that's pretty interesting, let us and your antivirus
company know:
http://housecall.antivirus.com [my preference] OR
http://security2.norton.com
Once your computer has been hacked, these are some things I might recommend
doing are here:
http://securityadmin.info/faq.htm#hacked
http://securityadmin.info/faq.htm#re-secure
http://securityadmin.info/faq.htm#harden
This Trojan has been given several different names by various anti-virus
companies:
RPC Worm (F-Secure)
Downloader-DM (McAfee)
Autorooter (Panda)
Worm.Win32.Autorooter (AVP)
Backdoor.IRC.Cirebot (Symantec)
References:
http://www.europe.f-secure.com/v-descs/rpc.shtml
http://vil.nai.com/vil/content/v_100524.htm
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.irc.cirebot
..html
http://news.com.com/2100-1009-5059263.html
http://www.microsoft.com/technet/security/bulletin/MS03-026.asp
http://www.microsoft.com/security/security_bulletins/MS03-026.asp
http://support.microsoft.com/?kbid=823980
Here are some signs of infection, though these do not necessarily match all
the variants that might be out there:
"Signs of infection:
- the existence of one or more of the following files:
rpc.exe
rpctest.exe
tftpd.exe
dcomx.exe
lolx.exe
worm.exe
Signs that a network is being attacked:
- traffic on port 445 to sequential IP addresses.
Signs that an attack has succeeded (allowing a remote shell and downloading
of the backdoor):
- port 57005 open;
- an ftp [tftp] connection on port 69."
I hope this helps. Let us know if you find anything interesting. Thanks to
Susan Bradley for pointing this information out.
helpful to someone:
FYI, the presence of the files Dcomx.exe or the other files mentioned below
along with a "Remote Procedure Call" or TFTP popup message on your system
are signs you may have been hacked by a tool such as Autorooter. [TFTP.EXE
is a normal file that comes with many versions of Windows, but it should
usually not be running on most systems.]
To fix this, you need a firewall [even a free one such as www.sygate.com or
www.kerio.com], to install all the latest Microsoft service packs and
patches from www.windowsupdate.com, check your firewall logs to see who has
hacked you, and install and run an antivirus with the latest updates that
detects this thing [ www.grisoft.com is free antivirus], or submit sample
files to your antivirus vendor if it does not detect this thing. I do
believe there may be new variants of Autorooter that possibly have not yet
been fully discovered. Unlike an automated event like a worm, this event
may indicate that someone personally ran a tool against you and may have
done things to your computer.
You can find out if you are infected with Autorooter or something new that
hasn't been discovered by going to one of the scanner sites below. If
nothing is detected, that's pretty interesting, let us and your antivirus
company know:
http://housecall.antivirus.com [my preference] OR
http://security2.norton.com
Once your computer has been hacked, these are some things I might recommend
doing are here:
http://securityadmin.info/faq.htm#hacked
http://securityadmin.info/faq.htm#re-secure
http://securityadmin.info/faq.htm#harden
This Trojan has been given several different names by various anti-virus
companies:
RPC Worm (F-Secure)
Downloader-DM (McAfee)
Autorooter (Panda)
Worm.Win32.Autorooter (AVP)
Backdoor.IRC.Cirebot (Symantec)
References:
http://www.europe.f-secure.com/v-descs/rpc.shtml
http://vil.nai.com/vil/content/v_100524.htm
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.irc.cirebot
..html
http://news.com.com/2100-1009-5059263.html
http://www.microsoft.com/technet/security/bulletin/MS03-026.asp
http://www.microsoft.com/security/security_bulletins/MS03-026.asp
http://support.microsoft.com/?kbid=823980
Here are some signs of infection, though these do not necessarily match all
the variants that might be out there:
"Signs of infection:
- the existence of one or more of the following files:
rpc.exe
rpctest.exe
tftpd.exe
dcomx.exe
lolx.exe
worm.exe
Signs that a network is being attacked:
- traffic on port 445 to sequential IP addresses.
Signs that an attack has succeeded (allowing a remote shell and downloading
of the backdoor):
- port 57005 open;
- an ftp [tftp] connection on port 69."
I hope this helps. Let us know if you find anything interesting. Thanks to
Susan Bradley for pointing this information out.