RE: Help on malicious program rpcxserv.exe

["Neils Christoffersen" <nchristof () creditsoup com>]

I downloaded the zip file from your FTP server and my virus scanner
(AVG) detected a virus called "BackDoor.Servu" in rpcxserv.exe

Maybe you can find more info on that.

--
Neils Christoffersen
Software Engineer
CreditSoup, Inc. 

-----Original Message-----
From: Michael Dorsey [mailto:enigmavr4 () bellsouth net] 
Sent: Saturday, June 14, 2003 8:18 PM
To: security-basics () securityfocus com
Subject: Help on malicious program rpcxserv.exe


I was looking at the open ports on a server at one of my clients and
noticed the server had a TCP connection that it opened to
63.98.19.244:6667. The offending program was
"C:\WINNT\System32\rpcxserv.exe". It was also listening on 20+ other
ports.

It's registered as a service called "RPC Interface" with a description
of "Provides Interface to remote call services over the network".

There was another file called "SUB0T.dll", which had the same date and
time as rpcxserv.exe of 2/11/03 at 18:46. Two additional files of
"SUB0T.ini" and "SUB0T.log" were also there. The ini looks like
instructions for logging into an IRC server. All of the files had the
system and hidden attributes set.

I'm guessing this is some kind of bot for a DoS attack and was curious
if anyone else had seen it or knows it's  infection method.

The server is a basic W2K, running Exchange 2000, GFI Faxmaker and
Backup Exec.

I haven't been able to find anything on the search engines or antivirus
sites.

Anyone that wants to look at the files can get them by anonymous ftp
here. ftp://advent.gotdns.com.  The filename is "rpcxserv.zip".

Thanks for any info,


Michael Dorsey


------------------------------------------------------------------------
---
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top
analysts! The Gartner Group just put Neoteris in the top of its Magic
Quadrant, while InStat has confirmed Neoteris as the leader in
marketshare.
     
Find out why, and see how you can get plug-n-play secure remote access
in about an hour, with no client, server changes, or ongoing
maintenance.
          
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
------------------------------------------------------------------------
----


---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
     
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
          
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------