Help on malicious program rpcxserv.exe

["Michael Dorsey" <enigmavr4 () bellsouth net>]

I was looking at the open ports on a server at one of my clients and noticed
the server had a TCP connection that it opened to 63.98.19.244:6667. The
offending program was "C:\WINNT\System32\rpcxserv.exe". It was also
listening on 20+ other ports.

It's registered as a service called "RPC Interface" with a description of
"Provides Interface to remote call services over the network".

There was another file called "SUB0T.dll", which had the same date and time
as rpcxserv.exe of 2/11/03 at 18:46. Two additional files of "SUB0T.ini" and
"SUB0T.log" were also there. The ini looks like instructions for logging
into an IRC server. All of the files had the system and hidden attributes
set.

I'm guessing this is some kind of bot for a DoS attack and was curious if
anyone else had seen it or knows it's  infection method.

The server is a basic W2K, running Exchange 2000, GFI Faxmaker and Backup
Exec.

I haven't been able to find anything on the search engines or antivirus
sites.

Anyone that wants to look at the files can get them by anonymous ftp here.
ftp://advent.gotdns.com.  The filename is "rpcxserv.zip".

Thanks for any info,


Michael Dorsey


---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
     
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
          
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------