RPC shutdow problem, i don't have Blaster any other ideas Please !

[MMJII]

Hello All,

I had a laptop infected with Klez, and So.F, the Norton Anti virus found
these files, with the dos boot disk with virus patterns for 2-28-04. I
turned off sys restore, rebooted, rescanned with NAV boot disk, it deleted
all the files it found infected, then I restarted win XP ran Klez , and
SoBig.F AV tools from symantec deleted additional files. rescanned, all
clear.
Laptop is shutting down due to RPC @ 60 secs. The task manager does not show
msblast.exe, is there any other reason this pc is experiencing this problem?

Thanks for any ideas
MMJ II

 

[Leonard Severt [MSFT]]

Hello All,

I had a laptop infected with Klez, and So.F, the Norton Anti virus
found these files, with the dos boot disk with virus patterns for
2-28-04. I turned off sys restore, rebooted, rescanned with NAV boot
disk, it deleted all the files it found infected, then I restarted win
XP ran Klez , and SoBig.F AV tools from symantec deleted additional
files. rescanned, all clear.
Laptop is shutting down due to RPC @ 60 secs. The task manager does
not show msblast.exe, is there any other reason this pc is
experiencing this problem?

Thanks for any ideas
MMJ II

Yes if you are not patched and there is a lot MSBlast RPC activity on
the network it can cause RPC failure. You need to make certain you have
MS03-039 patch installed.

Leonard Severt

Windows 2000 Server Setup Team

 

[David H. Lipman]

and install the following patch for the RPC/RPCSS Buffer Overflow Vulnerability that is
addressed by Microsoft Security Bulletin MS03-39 http://support.microsoft.com/?kbid=824146
| Hello All,
|
| I had a laptop infected with Klez, and So.F, the Norton Anti virus found
| these files, with the dos boot disk with virus patterns for 2-28-04. I
| turned off sys restore, rebooted, rescanned with NAV boot disk, it deleted
| all the files it found infected, then I restarted win XP ran Klez , and
| SoBig.F AV tools from symantec deleted additional files. rescanned, all
| clear.
| Laptop is shutting down due to RPC @ 60 secs. The task manager does not show
| msblast.exe, is there any other reason this pc is experiencing this problem?
|
| Thanks for any ideas
| MMJ II
|
|

 

[David H. Lipman]

Oooops, keyboard slip

You must install the following patch for the RPC/RPCSS Buffer Overflow Vulnerability that is
addressed by Microsoft Security Bulletin MS03-39 http://support.microsoft.com/?kbid=824146

In addition:
If you post to UseNet with your TRUE, not a munged, email address then you have invited the
swen Internet worm [aka; W32/Gibe-F] to visit you.

The Swen is news spelled backwards. The reason it is called this is because the Swen worm
harvests email addresses from UseNet News Groups. It has an engine that allows it to post
itself to UseNet News Groups and well as it has its own email engine. From the list of
email addresses that it has harvested, it will then email itself to those addresses.

Dave



| Hello All,
|
| I had a laptop infected with Klez, and So.F, the Norton Anti virus found
| these files, with the dos boot disk with virus patterns for 2-28-04. I
| turned off sys restore, rebooted, rescanned with NAV boot disk, it deleted
| all the files it found infected, then I restarted win XP ran Klez , and
| SoBig.F AV tools from symantec deleted additional files. rescanned, all
| clear.
| Laptop is shutting down due to RPC @ 60 secs. The task manager does not show
| msblast.exe, is there any other reason this pc is experiencing this problem?
|
| Thanks for any ideas
| MMJ II
|
|

 

[MMJII]

Thanks to all that responded, I will patch up IMMIDIATELY !!!
Thanks to Dave for the info on swen, fortunately the pc I'm on the net with
has all ms patches, ZA firewall, and updated NAV

Thanks Again for all your help.

MMJ II

 

[cquirke (MVP Win9x)]

On Wed, 3 Mar 2004 08:46:25 -0500, "MMJII"

Thanks to all that responded, I will patch up IMMIDIATELY !!!

Thanks to Dave for the info on swen, fortunately the pc I'm on the net with
has all ms patches, ZA firewall, and updated NAV

The point that no-one ever seems to mention is that it is not
infection of your PC by Lovesan, Nachi, SDbot.RPC.A and other RPC
attackers that causes RPC service failure and shutdown DoS. It is
merely the attempts by these to penetrate RPC that does this.

So antivirus software on your PC can make no difference whatsoever to
this state of affairs. A firewall is supposed to - the party line is
that even the built-in XP firewall is enough to block entry and thus
RPC failure - but in my experience with XP's firewall and your
experience with ZA, this is not the case.

In my client's case, they had a PC that had always run the XP
firewall, and yet it had multiple RPC infectors present.

Finally, you can stop the shutdown Denial of Service effect simply by
changing one of Microsoft's more brain-dead default settings. Find
your way to Admin Tools, Services, and check the Properties of the
Remore Procedure Call service, on the Recovery tab. Instead of
"Restart the Computer" (= "Kill Me Now"), change those three choices
to "Restart the Service". That won't keep RPC running if attacked
through the hole, but at least keeps the system up.

You've done the most important thing, which is fixing the defective
RPC service. Asking MS why this has to run exposed to the Internet
would be a good idea; seems like a really dumb design to me.

-------------------- ----- ---- --- -- - - - -

Running Windows-based av to kill active malware is like striking
a match to see if what you are standing in is water or petrol.

 

[David H. Lipman]

Some very good points Cquirke !

Let me just add this experience that happened to nodes located within our satellite office
at our Prime Contractor.

We had updated McAfee DAT files with a McAfee EXTRA.DAT but not yet had the RPC Buffer
Overflow Vulnerability patch. While the PC did have the 60 sec. count-down, McAfee's
on-access scanner blocked the writing of BLASTER.EXE to the hard disk and executing its
code. McAfee Alertmanager gave us, the admin., a NetBIOS pop-up and the event was logged.

Dave

 

[Shane]

So it's an in-joke is it, Dave?


Shane