Examining RPC/DCOM Compromised Computers

Many of the Windows computers that were missing the MS03-026 RPC/DCOM security patch may have been compromised. Symptoms might include random reboot, RPC failure, unusual sluggish performance and delayed bootup/shutdown.

There are a variety of Trojan programs that may have been installed on the compromised computer. A compromised computer should be removed from the network, inspected and restored. Some of the more common reported Trojan programs found on computers missing the MS03-026 patch include, but are not limited to:

Backdoor.IRC.Flood.F ? Installation of a Trojan program for remote control of the compromised host. Reference information is here. See suggested website for a list of files often placed into local C:\Winnt\Inf folder.

BackDoor-AUI ? Installation of a Trojan program for remote control of the compromised computer. Reference information is here. A compromise could be indicated by the presence of file ?DIRECTX.EXE? in the local folder C:\WINNT\SYSTEM32. The Trojan could attempt to connect to an external IRC address via port 6667.

BackDoor.Hale ? Installation of a Trojan program for remote control of the compromised computer, FTP services and other system utilities. Reference information is here. A compromise could be indicated by the presence of a folder ?C:\winnt\system32\qossrv?. See suggested Website for a list of files often placed into this folder.