| Responding to
RPC-DCOM Events The following
procedure should allow you to respond to any type of Microsoft RPC-DCOM
event that has occurred in your network. There are three types of
events you may need to respond to:
- Vulnerable to RPC-DCOM
- Infected with the Blaster worm
- Infected with the Welchia worm
- Compromised with Trojan.Stealther
The UITS Security Group recommends
performing
all of the steps below in the order we have outlined. If you have a
large number of these incidents to respond to and you fully understand what
you are doing, there are some tips to speed this process up at the end of
this document. If you are an end-user attempting to fix your own
computer, we recommend taking all of these
steps.
Update 08.13.03 1530 Section for
Fixing Windows Installer added.
Update 08.26.03 1400 Section for Fixing
Welchia added.
1) Prepare
Your Kit
First you need to gather all of the files
you will need on a CD, since the computer you are responding to will not be
connected to the network. Download the following files and burn them
on a CD from a clean computer. If you know you will only be responding to a single type of
event and fully understand what you are doing, you can choose to only
download the files you will need.
Notes: Norton Antivirus (NAV) version 8.0
is now called Symantec Antivirus (SAV).
2)
Disconnect the Computer
The computer you are responding to should
not be connected to the network or become infected itself. The computer may have had its network
jack disconnected or its IP Address blocked. If it is still
connected to the network when you arrive, physically unplug the network
cable from the back of the computer and do not reconnect it until you are
finished with these steps. If the computer has been powered off
unplug its network cable before you turn it on.
3XP) Disable System Restore (Win XP)
If you are running Windows XP disable
system restore by right-clicking My Computer, going to Properties, click the
System Restore tab and chosing "Turn off System Restore". If you do
not disable this it may backup the virus files and try to restore them to
the computer later.
3)
Fix Winshell / Stealther
Fix the Winshell/Stealther compromise by
running the file named "FixWinsh.exe" and deleting the file name "update.exe"
in the C: drive. For more complete information please check out the
UConn's Recovering from Trojan.Stealther
page or
Symantec's WinShell removal tool page.
4) Fix Blaster
Fix the MS Blaster worm infection by
running the file named "FixBlast.exe". For more complete
information please check out UConn's
Recovering from MS Blaster page or
Symantec's FixBlaster removal tool page.
4 1/2) Fix Welchia
Fix the Welchia worm infection by
running the file named "FixWelch.exe". For more complete
information please check out UConn's Recovering from
Welchia page or
Symantec's
FixWelch removal tool page.
5) Uninstall NAV
Uninstall Norton Antivirus if it displays
a yellow exclamation mark over the gold shield icon in the lower
right-hand corner of your computer (near the time). It may have been
corrupted by Stealther.Trojan and will not function properly.
6) Reboot
Now that both fixes have been applied and
NAV has been removed, reboot the computer.
6XP)
Enable System Restore (Win XP)
If you are running Windows XP re-enable
system restore by right-clicking My Computer, going to Properties, click the
System Restore tab and clearing the "Turn off System Restore" box.
7) Install NAV
8.0
Install Symantec Antivirus v 8.
8)
Config to Update Daily
Configure Symantec Antivirus to download
new virus definitions daily. Go to "File" -> "Schedule Updates...",
click the "Schedule..." button, and select the "Daily" radio button.
Pick a time early in the day when the computer will be turned on.
9) Install
Latest Defs
Install the latest virus definitions by
running the file named "20030812-006-x86.exe". This will make sure
SAV has definitions for MS Blaster and Stealther/Winshell. After it
is done right-click on the gold shield icon in the lower right-hand corner
of your computer (near the time), and make sure "Enable File System
Realtime Protection" is checked.
10) Scan for
Viruses
Scan all local disks for viruses now that
the latest definitions are installed. THIS WILL TAKE SOME TIME, but
is important to be sure the worm and trojans have been uninstalled
properly.
11)
Install Latest Service Pack
NOTE: There is a reason to install the
Service Pack before you patch the RPC-DCOM vulnerability. If you
install this Service Pack after you patch the vulnerability, it
will un-do the patch and make the computer vulnerable again.
Install the latest Service Pack for your
operating system:
For Windows 2000 install "w2ksp4_en.exe"
For Windows XP install "xpsp1a_en_x86.exe"
For Windows NT4 install "sp6i386.exe"
THIS WILL TAKE SOME TIME, but it is
important to make sure the computer does not become vulnerable after the
user runs Windows Update and installs this Service Pack at a later time.
12)
Install RPC-DCOM Patch
Install the patch for the RPC-DCOM
vulnerability for your operating system:
For Windows 2000 install
"Windows2000-KB823980-x86-ENU.exe"
For Windows XP install "WindowsXP-KB823980-x86-ENU.exe"
For Windows NT4 install "Q823980i.EXE"
This is perhaps the most critical step of
the entire operation. This will fix the vulnerability in RPC-DCOM
and protect the computer from any future events that target this flaw.
13) Reboot
The RPC-DCOM patch will require the
computer to be restarted after it is installed.
NOTE: Windows Installer may give many
errors after the computer is restarted. If it does it means it has
been corrupted and needs to be reinstalled. Check out
Fixing Windows Installer.
14) Reconnect
Now that:
- The worm or trojan is fixed
- The antivirus definitions updated
- The Service Pack installed
- The RPC-DCOM patch installed
It is safe to re-attach the computer to
the network. Doing it before those steps are complete (in that
order) risks the chance of further damage.
15) Visit
Windows Update
Visit Windows Update to get all remaining
"Critical Updates and Service Packs" listed in the left-hand menu after
the scan. Their server may be very busy while MS Blast is still
spreading across the Internet, as this worm targets them for attack.
16)
Enable Automatic Updates
Enable Automatic Updates to "Download the
updates and ... notify me" by going to Start -> Control Panels ->
Automatic Updates on Windows 2000 and XP computers.
17)
Scan the computer
After you are completely finished scan
the computer's IP address using "RetinaRPCDCOM.exe". Enter its IP
address, uncheck the "Show Only Vulnerable Servers" box, and Hit Scan.
Computers that have been successfully fixed will say "PATCHED".
Fixing Windows Installer
We have noticed that many computers give
Windows Installer errors after a RPC-DCOM event. Brett Paulson of Dell
has come up with this procedure to fix those errors:
You will need to download "InstMsiW.exe"
to fix this problem.
The symptoms of the problem are that the
computer comes up with messages saying it is trying to install programs
and cannot find the location. When you try to run the InstMsiW.exe file
which is the windows installer update program you get the message "the
specified service exists". Here is the process to bypass this.
1. Logon as an administrator and launch a
command prompt by going to Start -> Run
2. Type "cmd" in the box and press enter
3. At the C:\> type the following without quotes "msiexec /unregserver"
4. Reboot the computer
5. Logon as administrator. Close any messages you might receive. Then
launch a command prompt by going to Start, Run, Type "cmd" in the box and
press enter
6. Type the following without quotes "cd\winnt\system32" press enter
7. This part is tricky and needs to be done fast. Have the InstMsiW.exe
file ready to be run immediately following the next step.
8. The command prompt should read c:\winnt\system32>
9. Type the following. "del msiexec.exe" press enter
10. Immediately run the InstMsiW.exe program. Note: If you don't execute
it fast enough you'll have to redo steps 5 through 9.
11. You will see Windows Installer launch and install the program. It will
then tell you it had been installed successfully and prompt you to reboot.
Once the computer comes back up you should be all fixed
WARNING: This section is for
advanced users only. If you chose to skip any of the above steps to
save yourself time you are risking re-infection and possibly further damage
to the computer. Now that you are visiting the computer take time to
completely protect it from future events of this type. If you only
chose to perform the abbreviated steps below you may not be fixing
everything that is wrong with that computer, and you may be re-visiting it
again soon.
If you have a large number of these events
to respond to and completely understand what you are doing, here are some
tips for fast response to a particular incident:
If the computer is vulnerable to
RPC-DCOM and has not been infected or compromised:
If the computer has been infected with
MS Blaster:
If the computer has been infected with
Welchia:
If the computer has been compromised with
Stealther.Trojan:
If the computer was infected with the
Stealther.Trojan, was patched while it was still compromised, and blue
screens upon reboot follow these recovery instructions from Brett Paulson of
Dell:
http://security.uconn.edu/old_site/recovery_rpc_crash.html
|
