Classification

Category :

Malware

Type :

Backdoor

Aliases :

RPC, Exploit.Win32.Autorooter, RPC-1, Cirebot, Downloader-DM

Summary

A set of files using a security vulnerability in Windows operating system was found around 19:00 GMT on saturday 2nd of August, 2003.

Scenario looked bad in the beginning, as the package contained files with names such as rpc.exe and worm.exe.

After detailed analysis, we can confirm that this is not a worm at all. It does not even attempt to spread further from affected hosts.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

The vulnerability being used here is MS03-026, "Buffer Overrun In RPC Interface". https://www.microsoft.com/technet/security/bulletin/MS03-026.asp This vulnerability was discovered on July 16th, 2003.

This program will create these files to local hard drive:

rpc.exe
 rpctest.exe
 tftpd.exe
 dcomx.exe
 lolx.exe
 worm.exe

Rundown of the files:

Worm.exe is a self-extracting archive that will create rpc.exe, rpctest.exe and tftp.exe.

Tftp.exe is a normal tftp server utility.

Rpctest.exe and rpc.exe are part of autorooter.zip tool, released around 30th of June. Rpctest.exe uses the known RPC exploit to spawn a remote shell which listens at TCP port 57005. It contains the text "USE THE FORZ LUKE!" Rpc.exe contains text "rpc autorooter by ERIC". These programs are written which Microsoft Visual Basic.

Dcomx.exe and lolx.exe are based on older backdoors and are already detected by F-Secure Anti-Virus as variants of "Sdbot". For more information on Sdbot irc-based backdoors, see: https://www.f-secure.fi/v-descs/sdbot.shtml

So, all files are accounted for. There's no worm here. If somebody would be sitting at the IRC channel and giving commands manually to affected machines, he could get the tool propogated from one machine to another. But that wouldn't be automatic.

We recommend all users apply the Microsoft patch (available from the above Microsoft link). Also, blocking TCP ports 135, 139 and 445 in your local firewall will help. F-Secure Distributed Firewall blocks these by default.