1. Welcome to Baptist Board, a friendly forum to discuss the Baptist Faith in a friendly surrounding.

    Your voice is missing! You will need to register to get access to all the features that our community has to offer.

    We hope to see you as a part of our community soon and God Bless!

W32RPC virus?

Discussion in 'Computers & Technology Forum' started by GloryBound, Sep 16, 2003.

  1. GloryBound

    GloryBound New Member

    Sep 14, 2001
    Likes Received:
    Has anyone here ever heard of the W32RPC computer virus? My sister-in-laws computer is infected with that virus. I have searched the web for info on it but only found two or three people on message boards talking about it. Like me, they have no info on it either. None of the AntiVirus sites have anything about it. I scanned her hard drive with Norton and it shows no virus there.

  2. RodH

    RodH <img src ="http://humphrey.homestead.com/files/Rod

    Sep 5, 2002
    Likes Received:
    I couldn't find that name, but I did find the following at McAfee.com that might be what you are looking for:

    Name: Downloader-DM
    Risk Assessment
    - Home Users: Low-Profiled
    - Corporate Users: Low-Profiled
    Date Discovered: 8/2/2003
    Date Added: 8/2/2003
    Origin: Unknown
    Length: 113,507 bytes
    Type: Trojan
    SubType: Dropper
    DAT Required: 4283

    Virus Characteristics

    -- Update August 04, 2003 --
    The risk assessment of this threat was updated to Low-Profiled due to the c|net article Attack bot exploits Windows flaw.
    This is not an email virus. This downloader trojan has been found within a self-extracting dropper package (possibly named worm.exe 113,507 bytes). The self-extracting archive carries 3 files.

    The following files are contained within the dropper.
    rpc.exe 40,960 bytes downloader trojan, tries to exploit MS03-026 to instruct a remote host to download lolx.exe from the infected host, via tftp, and run the downloaded exe
    rpctest.exe 94,298 bytes MS03-026 exploit tool, creates remote shell on TCP port 57005
    tftpd.exe 143,872 bytes haneWIN TFTP server

    Other files associated with this threat are lolx.exe and dcomx.exe. The files are detected with the 4243+ dat files as W32/Lolol.worm.gen.

    Indications of Infection

    Presence of the following files on the root directory:

    Method of Infection

    Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc. Trojans may also be received as a result of poor security practices (weak username/password combination on open shares, lack of/or misconfigured firewall protection), or unpatched and vulnerable systems.

    Removal Instructions

    All Users:
    Use specified engine and DAT files for detection and removal.

    Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

    Additional Windows ME/XP removal considerations


    Autorooter (Panda), Backdoor.IRC.Cirebot (Symantec), Mescaline, RPC Worm (F-Secure), Worm.Win32.Autorooter (AVP)

  3. GloryBound

    GloryBound New Member

    Sep 14, 2001
    Likes Received:
    Thank you Rod! This will certainly be helpful.