Site Logo
The Microsoft Most Valuable Professional (MVP) Program was started in the mid 1990s as a way to recognise those members of the general public who devoted their time and considerable computing skills, on a voluntary basis, to helping users 'in distress' in the various newsgroups hosted by Microsoft. There are now around 1800 MVPs worldwide who actively participate in the Microsoft Technical Newsgroups. Many are IT consultants, some are published authors or technical instructors, and there are those who have no formal training but have an in-depth level of practical experience.
2002-
blcurve
Home > Windows XP Common Issues > RPC Blaster Exploit
May 21, 2012

curve
Back
 curve
     
  curve   curve  
 

Remote Procedure Call Exploit - RPC box pops up with a one minute timer before shutting down the system (This shutdown   was initiated by NT AUTHORITY\SYSTEM):

systemshutdown

If your are seeing this it is most likely that your RPC service is being exploited for a known issue that was originally patched on July 16th 2003.
Once the count down is in progress it is possible to stop it by going to  Start, Run, then
type cmd and click OK.  Then on the command line, type: shutdown -a

This will abort the shutdown and give you time to patch the RPC service. The previous patch which corrected this issue was recently superseded by the Update Rollup 1 for Microsoft Windows XP which corrects 23 critical securtiy issues in Windows XP. You should download and install this immediately as the original patch (MS03-026) does not protect you against all attacks covered in MS03-039.

Please Note that ALL members of the Windows NT family including Windows 2000, XP and Server 2003 are vulnerable to remote RPC exploit if not patched. Should you make a clean install of the operating system and connect to an infected local area network or the internet your system is prime for attack. The exception to the rule is Windows XP Service Pack 2 and Windows XP for 64 Bit Extended (AMD64) Systems, which already include updates the the Windows RPC Service.

To tell if you have a 64bit system: see here
If you do have a 64Bit system, apply the MS03-039 patch


When the RPC service is exploited it is possible for the attacking entity to execute code of its choice on a compramised system. Such was the case with the MS Blast worm which was placed can be placed onto the system under multiple names (depending on the varient) such as msblast.exe, penis32.exe, mslaugh.exe, teekids.exe, mspatch or ENBIEI.EXE over TFTP, this then uses your computer to attack other unpatched machines using the RPC exploit.

You can remove these with the following script if you are infected
(msblast removal script by MVP Kelly, now removes a,b,c,d,e and f varients)
Download here

It is possible to tell if you are infected by searching for the name of each worm, i.e. msblast.exe on your system. I would though recommend running the above script on any system which has be directly exposed to the internet without the Q823980 patch applied.

In future it is recommended that you use a firewall and stay up to date with both antivirus and windows patches. If your not running any antivirus software you should get some, Grisoft offer a free edition of AVG Antivirus for single home and non-commercial end users http://www.grisoft.com/us/us_dwnl_free.php

Using Windows XP Internet Connection Firewall can help to increase the security of you system because it prevents people sending packets to which ever service on your machine they like (i.e. the rpc service, messenger service).

http://www.microsoft.com/security/protect/windowsxp/firewall.asp

http://support.microsoft.com/?kbid=283673
http://v4.windowsupdate.microsoft.com
http://www.microsoft.com/security/incident/blast.asp

Worm.Win32.Autorooter/msblast
http://www.avp.ch/avpve/worms/win32/autorooter.stm
http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.html

 
  curve  
curve
  
     
curve
curve

Copyright © 2002-2003, Mark Salloway, All Rights Reserved. All images and product names used within this site are the property of their respective copyright owners and are used as an example. Reproduction of information on this site, in any form, is prohibited without express written permission.

Microsoft is in no way affiliated with, nor offers endorsement of, this site. Members of the MVP program are not employees of the Microsoft Corporation. This site's owner assumes no liability for use of any information provided. Usage of this site's content, links and any downloadable items provided is at your own risk