Help with computer shutdown

Vanity | August 11, 2003 | Self

[Maximilian]

Sorry for the vanity, but my computer stopped working today. I would get an error message:

"Generic host process for Win 32 services System Shutdown NT Authority / System"

"Remote Procedure Call (RCP) service has terminated unexpectedly"

Then it would do a 60-second countdown until it shut down the computer. It's a weird looking error message and the backwards countdown from 60 seconds until it shuts down the system seems very ominous (although I suppose it's better than an immediate crash).

It did it once about a week ago, then today it would happen as soon as I'd reboot, so the computer was totally unusable. I ran the Recovery CD that came with my Compaq and then I reinstalled Norton. It crashed again while I was re-installing Norton, but now it hasn't crashed since I finished.

I noticed that after re-installing Norton I was immediately getting warning messages that a remote system was trying to access "svchost.exe" which it classified as a "low" threat level. But I refused access since I had noticed a reference to "svchost.exe" in the "details" of the error message, and the computer hasn't crashed since then.

Is this a known error or virus? Since getting the computer working I tried Google, but there were no obvious hits for "NT authority/system" or "Remote procedure call service terminated." Both searches turned up hits, but no references to terminal viruses or system errors.

Thanks to any Freepers who are more technically competent than I am and can point me in the right direction. I appreciate any suggestions.

[Timesink]

See this thread:

New Virus hitting hard and furious!

[brbethke]

Is this a known error or virus?

Yes.

http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.html

[expatguy]

The worm has turned for you.

This RPC DCOM worm started spreading early afternoon EDT (evening UTC). At this point, it is spreading rapidly.

*********NOTE: PRELIMINARY. Do not base your incidents response solely on this writeup. **********

W32.Blaster.Worm is a worm that will exploit the DCOM RPC vulnerability using TCP port 135. It will attempt to download and run a file, msblast.exe.

Infection Length: 6,176 bytes

Systems Affected: Microsoft IIS, Windows 2000, Windows NT, Windows XP

Systems Not Affected: Linux, Macintosh, OS/2, UNIX

Increase in port 135 activity:

http://isc.sans.org/images/port135percent.png

The worm uses the RPC DCOM vulnerability to propagate. One it finds a vulnerable system, it will spawn a shell on port 4444 and use it to download the actual worm via tftp. The exploit itself is very close to 'dcom.c' and so far appears to use the "universal Win2k" offset only.

Infection sequence as follows:

1. SOURCE sends packets to port 135 tcp with variation of dcom.c exploit to TARGET

2. this causes a remote shell on port 4444 at the TARGET

3. the SOURCE now sends the tftp get command to the TARGET, using the shell on port 4444.

4. the target will now connect to the tftp server at the SOURCE.

The name of the binary is msblast.exe. It is packed with UPX and will self extract. The size of the binary is about 11k byte unpacked, and 6k bytes packed:

MD5sum packed: 5ae700c1dffb00cef492844a4db6cd69 (6176 Bytes)

So far we found the following properties:

- Scans sequentially for machines with open port 135, starting at a random IP address - uses multiple TFTP servers to pull the binary - adds a registry key to start itself after reboot

Name of registry key:

SOFTWAREMicrosoftWindowsCurrentVersionRun, name: 'windows auto update'

Strings of interest:

msblast.exe I just want to say LOVE YOU SAN!! billy gates why do you make this possible ? Stop making money and fix your software!! windowsupdate.com start %s tftp -i %s GET %s %d.%d.%d.%d %i.%i.%i.%i BILLY windows auto update SOFTWAREMicrosoftWindowsCurrentVersionRun Existing RPC DCOM snort signatures will detect this worm. The worm is based on dcom.c

-------------------------------------------------------------------------------------------- http://isc.sans.org/diary.html?date=2003-08-11

[Mr. Blond]

I had the same problem today. Download and install the new XP security patch. You may need to boot up in Safe Mode to install it.

[Eva]

Go here and download the first item. MicrosoftWindows XP forum> Bookmark the site first, in case the computer shuts off, and then continue the download. If your computer shuts down, just wait and start it back up, and go quickly to the bookmark and continue the download, as many times as it takes to complete it. Then shut down your computer and restart.

[xrp]

You're being attacked. You need a personal firewall/intrusion prevention system software for your PC.

[WIladyconservative]

It's ugly. My son's computer got it today because he doesn't keep his virus dat files up to date. We're networked together with another machine and those two were up to date and weren't hit.

Everytime your virus programs tell you to update, do it!

[Lx]

You don't mention whether it's Windows 2000 or XP. Nevertheless, ensure you have the latest Service Pack, SP4 for Windows 2000 Pro, and SP1 for XP Pro and more importantly, the RPC buffer overrun patch. I've supplied links for all. We applied SP4 and this patch to over 120 servers last Saturday and the only problem was with one NT4 machine that we only applied the patch to. The RPC problem is a massive security hole.

For Win 2k Pro:
http://www.microsoft.com/Windows2000/downloads/servicepacks/sp4/

For XP Pro:
http://www.microsoft.com/WindowsXP/sp1/default.asp

Here's where to get the RPC buffer patch MS03-026 to protect yourself. If your computer stays up when it's offline, you might be getting hit with the worm mentioned in the second posting.

Here's the link for that patch.

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp

You can apply the patch without applying the latest service pack and since it's only around 1mb in size, you might have better luck applying it, then apply the latest service pack. Even though Win 2K and XP use a DLL cache that is supposed to make re-applying service packs after every software install unnecessary, I'm pretty sure you have to re-apply the RPC patch AFTER the service pack.

Good luck, let us know how you're doing.

[Eva]

I was extremely annoyed with the problem, but once I got the Microsoft site, I managed just fine. They did the fix for me.

[Cold Heat]

You got the bug!

[WIladyconservative]

I forgot to mention - we are all BEHIND a hardware firewall!

[solitas]

Tsk, oh you windows people! :D

[Old Professer]

MSN, Call Home!

Sounds like a temp version done expired.

[weeder]

I recently wrestled with a mean little motha' named "BUGBEAR", a nasty little worm. In the process of removing this thing, (with the fine guidance of those saints at Symantec), I became aware that if you have a RESTORE function on your system, (to take you back to a point in data/time before your woes began), you might have to DISABLE that function temporarily while you affect the repairs. Apparently, RESTORE's files are inaccessible when it's enabled (for obvious reasons!), and a worm or virus that is in that older data can easily re-infect your system. Symantec walks you through the procedure in such a way, that even idiots like me can do it. This might explain your recurrence of the problem. Just a thought.....hope I help more than confuse with this message.

[cake_crumb]

Another one. Go here for the patch

If your computer keeps rebooting, try Safe mode.

Use the Find utility to delete this file: "Exploit-DcomRpc" in C:/windows/system32/msblast.exe

After installing ALL the latest MS patches for your operating system, install a good firewall and an anti-virus program.

[dfwgator]

I have ZoneAlarm on my PC, should that protect me from the virus?

[cake_crumb]

Another thing you can do if your computer keeps rebooting before you can download the patch is to right click on your connection icon, left click on Properties, click the Advanced Tab, and place a checkmark next to "Internet Connection Firewall."

You should then be able to download the patch.

[TheBattman]

Systems Not Affected: Linux, Macintosh, OS/2, UNIX

Glad of my choice of platforms....

[TheBigB]

My PC got hit tonight, but if you go to the symantec site and follow their directions, you can get rid of it. Took a while, but I got it done.