UPDATED INFO -- Examining RPC/DCOM Compromised Computers

Many of the Windows computers that were missing the MS03-026 RPC/DCOM security patch may have been compromised. Symptoms might include random reboot, RPC failure, unusual sluggish performance and delayed bootup/shutdown.

There are a variety of Trojan programs that may have been installed on the compromised computer. A compromised computer should be removed from the network, inspected and restored. After backing up data, a full disk format and restore of the operating system is recommended. Some of the more common reported Trojan programs found on computers missing the MS03-026 patch include, but are not limited to:

Backdoor.IRC.Flood.F ? Installation of a Trojan program for remote control of the compromised host. Reference information is here. See suggested Web site for a list of files often placed into local C:\Winnt\Inf folder.

BackDoor-AUI ? Installation of a Trojan program for remote control of the compromised computer. Reference information is here. A compromise could be indicated by the presence of file ?DIRECTX.EXE? in the local folder C:\WINNT\SYSTEM32. The Trojan could attempt to connect to an external IRC address via port 6667.

BackDoor.Hale ? Installation of a Trojan program for remote control of the compromised computer, FTP services and other system utilities. Reference information is here. A compromise could be indicated by the presence of a folder ?C:\winnt\system32\qossrv?. See suggested Web site for a list of files often placed into this folder.

Backdoor.WinShell.50 ? Installation of a Trojan program permitting unauthorized access to the compromised computer. Reference information is here. A compromise is indicated by the presence of a new service with the characteristics of:
"Display Name"="CSRS Windows NT"
"Service Name"="CSRSWIN"
"Description"="CSRS Windows NT"

Backdoor.irc.cirebot.html - Installation of a Trojan program permitting unauthorized access to the compromised computer. Reference information is here. A compromised system is indicated by the presence of C:\Rpc.exe, C:\Rpctest.exe, or C:\Lolx.exe.