John Liebson
December 12th 03, 07:26 PM
On 5/8/2003 14:11, Karl Levinson [x y] mvp wrote:
> I've seen a number of people ask this question today, so I hope this is
> helpful to someone:
>
> FYI, the presence of the files Dcomx.exe or the other files mentioned below
> along with a "Remote Procedure Call" or TFTP popup message on your system
> are signs you may have been hacked by a tool such as Autorooter. [TFTP.EXE
> is a normal file that comes with many versions of Windows, but it should
> usually not be running on most systems.]
>
> To fix this, you need a firewall [even a free one such as www.sygate.com or
> www.kerio.com], to install all the latest Microsoft service packs and
> patches from www.windowsupdate.com, check your firewall logs to see who has
> hacked you, and install and run an antivirus with the latest updates that
> detects this thing [ www.grisoft.com is free antivirus], or submit sample
> files to your antivirus vendor if it does not detect this thing. I do
> believe there may be new variants of Autorooter that possibly have not yet
> been fully discovered. Unlike an automated event like a worm, this event
> may indicate that someone personally ran a tool against you and may have
> done things to your computer.
>
> You can find out if you are infected with Autorooter or something new that
> hasn't been discovered by going to one of the scanner sites below. If
> nothing is detected, that's pretty interesting, let us and your antivirus
> company know:
>
> http://housecall.antivirus.com [my preference] OR
> http://security2.norton.com
>
>
> Once your computer has been hacked, these are some things I might recommend
> doing are here:
>
> http://securityadmin.info/faq.htm#hacked
> http://securityadmin.info/faq.htm#re-secure
> http://securityadmin.info/faq.htm#harden
>
> This Trojan has been given several different names by various anti-virus
> companies:
>
> RPC Worm (F-Secure)
> Downloader-DM (McAfee)
> Autorooter (Panda)
> Worm.Win32.Autorooter (AVP)
> Backdoor.IRC.Cirebot (Symantec)
>
> References:
>
> http://www.europe.f-secure.com/v-descs/rpc.shtml
> http://vil.nai.com/vil/content/v_100524.htm
> http://securityresponse.symantec.com/avcenter/venc/data/backdoor.irc.cirebot
> .html
> http://news.com.com/2100%2D1009%2D5059263.html
> http://www.microsoft.com/technet/security/bulletin/MS03-026.asp
> http://www.microsoft.com/security/security_bulletins/MS03-026.asp
> http://support.microsoft.com/?kbid=823980
>
>
> Here are some signs of infection, though these do not necessarily match all
> the variants that might be out there:
>
> "Signs of infection:
> - the existence of one or more of the following files:
> rpc.exe
> rpctest.exe
> tftpd.exe
> dcomx.exe
> lolx.exe
> worm.exe
>
> Signs that a network is being attacked:
> - traffic on port 445 to sequential IP addresses.
> Signs that an attack has succeeded (allowing a remote shell and downloading
> of the backdoor):
> - port 57005 open;
> - an ftp [tftp] connection on port 69."
>
> I hope this helps. Let us know if you find anything interesting. Thanks to
> Susan Bradley for pointing this information out.
>
>
>
>
Good job, Susan and Karl!
> I've seen a number of people ask this question today, so I hope this is
> helpful to someone:
>
> FYI, the presence of the files Dcomx.exe or the other files mentioned below
> along with a "Remote Procedure Call" or TFTP popup message on your system
> are signs you may have been hacked by a tool such as Autorooter. [TFTP.EXE
> is a normal file that comes with many versions of Windows, but it should
> usually not be running on most systems.]
>
> To fix this, you need a firewall [even a free one such as www.sygate.com or
> www.kerio.com], to install all the latest Microsoft service packs and
> patches from www.windowsupdate.com, check your firewall logs to see who has
> hacked you, and install and run an antivirus with the latest updates that
> detects this thing [ www.grisoft.com is free antivirus], or submit sample
> files to your antivirus vendor if it does not detect this thing. I do
> believe there may be new variants of Autorooter that possibly have not yet
> been fully discovered. Unlike an automated event like a worm, this event
> may indicate that someone personally ran a tool against you and may have
> done things to your computer.
>
> You can find out if you are infected with Autorooter or something new that
> hasn't been discovered by going to one of the scanner sites below. If
> nothing is detected, that's pretty interesting, let us and your antivirus
> company know:
>
> http://housecall.antivirus.com [my preference] OR
> http://security2.norton.com
>
>
> Once your computer has been hacked, these are some things I might recommend
> doing are here:
>
> http://securityadmin.info/faq.htm#hacked
> http://securityadmin.info/faq.htm#re-secure
> http://securityadmin.info/faq.htm#harden
>
> This Trojan has been given several different names by various anti-virus
> companies:
>
> RPC Worm (F-Secure)
> Downloader-DM (McAfee)
> Autorooter (Panda)
> Worm.Win32.Autorooter (AVP)
> Backdoor.IRC.Cirebot (Symantec)
>
> References:
>
> http://www.europe.f-secure.com/v-descs/rpc.shtml
> http://vil.nai.com/vil/content/v_100524.htm
> http://securityresponse.symantec.com/avcenter/venc/data/backdoor.irc.cirebot
> .html
> http://news.com.com/2100%2D1009%2D5059263.html
> http://www.microsoft.com/technet/security/bulletin/MS03-026.asp
> http://www.microsoft.com/security/security_bulletins/MS03-026.asp
> http://support.microsoft.com/?kbid=823980
>
>
> Here are some signs of infection, though these do not necessarily match all
> the variants that might be out there:
>
> "Signs of infection:
> - the existence of one or more of the following files:
> rpc.exe
> rpctest.exe
> tftpd.exe
> dcomx.exe
> lolx.exe
> worm.exe
>
> Signs that a network is being attacked:
> - traffic on port 445 to sequential IP addresses.
> Signs that an attack has succeeded (allowing a remote shell and downloading
> of the backdoor):
> - port 57005 open;
> - an ftp [tftp] connection on port 69."
>
> I hope this helps. Let us know if you find anything interesting. Thanks to
> Susan Bradley for pointing this information out.
>
>
>
>
Good job, Susan and Karl!