August 11, 2003
Manifestation of the MS RPC Worm
A few weeks back I saw the the Microsoft RPC advsory, got a chuckle and moved on. Heard rumors throughout the day that numerous machines at work had been affected, none in the immediate office.
Got home from work to a message from a friend (Holli) saying her machine was acting strange and to please call. The first few words out of her mouth in reading the message contained "RPC." Her machine was being flooded every ~6 minutes with RPC requests, and shortly after the machine would pop up a series of messages about saving all files before the machine was shut down via RPC. She was quite bewildered by the behavior and wanted to know if I could help figure it out. I hadn't heard any of the manifestations of the worm, was interesting to see exactly what it could do to a machine. Her laptop was being rebooted every 6 minutes it was online.
Unplugging the laptop from the cable modem stopped the problem (obviously). We attempted to get back on the network and download the security patches, but within 60 seconds of being online the RPC requests were flooding the machine again. I brought her machine back to my house to run the updates on my local network behind the firewall. Went off withough a hitch.
I must say, Holli has been a Mac user for years, she's using my old PC laptop. So I guess in a way it's my doing that she's using Windows.
Will close with a quote from Microsoft Security Bulletin MS03-026:
Remote Procedure Call (RPC) is a protocol used by the Windows operating system. RPC provides an inter-process communication mechanism that allows a program running on one computer to seamlessly execute code on a remote system. The protocol itself is derived from the Open Software Foundation (OSF) RPC protocol, but with the addition of some Microsoft specific extensions.Really beginning to understand what Microsoft means when they extend standardized technologies.
Posted by mike at August 11, 2003 10:34 PM