RPC Call

[Hermes]

When downloading files the computer shows the fault
message " NT AUTHORITE/SYSTEM " RPC (Remote Procedure
Call) service, system will stop in about 40 seconds.

The computer then reboots without downloading any file.

 

[Kelly]

To stop the reboots: Go to Start/Run and type in: services.msc. Scroll down
to Remote Procedure Call (RPC)/Recovery/First Failure/Restart the Service.

Close Windows Explorer, run the edit on line 257 which includes the prompt
for the patch once your system has been cleaned.

This script removes all variants of the W32.Blaster.Worm (original, B, C, D,
E and F) and will inform you whether or not the patch is already installed.
http://www.kellys-korner-xp.com/xp_tweaks.htm. Direct download:
http://www.kellys-korner-xp.com/regs_edits/msblast.vbs

More information here:
http://www.kellys-korner-xp.com/xp_qr.htm#rpc

/top10faqs.htm

 

[Rick \Nutcase\ Rogers]

Hi Hermes,

It's a virus called blaster or lovesan. Information:

http://www.kellys-korner-xp.com/xp_qr.htm#rpc
http://vil.nai.com/vil/content/v_100499.htm
http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.html
http://www.bigblackglasses.com/Article.aspx?Article=342

You need the patch described here to protect against it:

MS03-026: Buffer Overrun in RPC Interface May Allow Code Execution
http://support.microsoft.com/?kbid=823980

Problem is, you needed to install the patch BEFORE you got infected to avoid
it.

--
Best of Luck,

Rick Rogers aka "Nutcase" MS-MVP - Win9x
Windows isn't rocket science! That's my other hobby!

Associate Expert - WinXP - Expert Zone

 

[Mad Max]

Hi Rick;
Sorry to just jump in here , but I have a question concerning this subject ,
that seems to be in order.
I have all the MS critical updates , however can not find 823980. Am I safe
in assuming that it is included either in the "rollup" from October, or in
one of the "Q" numbered files that also downloaded from MS ? If not then
what ?
By the way, it doesn't get said enough that you MVPs can never get enough
thanks from those of us that would otherwise be flailing around in the dark
trying to keep our computers from devouring us.

 

[Rick \Nutcase\ Rogers]

Hi,

That patch was incorporated into Q824146, I should update that link. Thanks
for pointing it out.

MS03-039: A Buffer Overrun in RPCSS Could Allow an Attacker to Run Malicious
Programs
http://support.microsoft.com/?kbid=824146

--
Best of Luck,

Rick Rogers aka "Nutcase" MS-MVP - Win9x
Windows isn't rocket science! That's my other hobby!

Associate Expert - WinXP - Expert Zone

 

[Mad Max]

Hi yourself Rick .
Far be it for me to point anything out. I'm doing real good if I can get
this computer to turn on of a morning and off at night. Everything in
between those two points is pure dumb luck. I was just wondering if I should
pull the plug or run like he** to the MS update website and try to locate
that missing update.
Again, thanks to all the MVPs .

 

[Rick \Nutcase\ Rogers]

Hi Max,

Yes, get the patch - immediately if you have not already.

Also, take credit, your question caused me to review the article again and
notice the update (it's literally impossible to track them all). This is
what peer-to-peer support is all about.

--
Best of Luck,

Rick Rogers aka "Nutcase" MS-MVP - Win9x
Windows isn't rocket science! That's my other hobby!

Associate Expert - WinXP - Expert Zone

 

[Cassandra's Bastard]

When downloading files the computer shows the fault
message " NT AUTHORITE/SYSTEM " RPC (Remote Procedure
Call) service, system will stop in about 40 seconds.

The computer then reboots without downloading any file.

This is as good a place as any to raise a point that I have not seen
in this newsgroup.

Over the last several months, many new internet security threats have
appeared which exploit Microsoft's DCOM and RPC flaws. Each time a
new threat appears, Microsoft releases a new patch tailor-made to
counter that one new threat. Each time Microsoft tells everyone to
just update their computers. Again.

This approach is not enough. Each patch does nothing to block any new
variations that inevitably arise. As a result, any unprotected
Microsoft-based computer today will be attacked within minutes after
connecting to the Internet, before they even have a chance to download
and install the latest patches. You don't have to visit any nasty
websites. You don't have to receive any malicious emails. You just
have to connect without protection.

Now,what has me confused is why Microsoft chose to unconditionally
enable DCOM and RPC on every installation in the first place. Because
of this one decision, all NT, 2000, and XP computers, and only these
computers, are at great risk for little practical benefit. Few
end-users will ever use these services. To my knowledge, their only
practical use has been to infect millions of computers worldwide.

And what has me really scratching my head is why Microsoft doesn't
just issue one patch to turn off DCOM and RPC, and instantly block all
existing and future threats based on these services.

That is exactly what I have done on all the computer in my care, and I
have noticed no loss of performance or functionality on any of them.
There is a very small program, created by Steve Gibson, which
selectively enables and disables these services. It is call
DCOMbob.exe, and is available at http://grc.com.

I invite all to share with this newgroup any facts and/or opinions
they have on these issues.

FWIW