rpcsc.exe - possible virus - Network Associates Say It Isn't

[0E]

Last Friday morning when all the users logged into our network they recieved an error message rpcsc.exe, file not found.

On investigating this I discovered that in the run section of the registry on every machine on the network there was an entry for rpcsc.exe, but the file wasn't on any of the machines and never has been. (rpcss.exe is a genuine Microsoft program, the Remote Procedure Call Service I think).

On one machine, the only machine on the network with direct internet access (no firewall), there is a copy of the file named _rpcsc.exe in the winnt folder (all machines on our network are NT Server 4 or Workstation 4).

I searched altavista, the Microsoft Knowledge base, symantec anti virus center and network associates virus encyclopedia, all of which came up with no reference to this file whatsoever. This led me to believe that the only possibility is that it is a new virus, pretending to be the genuine rpcss.exe (the version info on _rpcsc.exe that we found and rpcss.exe is identical).

I e-mailed the file to network associates virus samples and they came back to me saying;

Our Senior researchers have analysed the file and it seems like a Microsoft Remote procedure Call support file.
Are you using Remote Admin on your network ?
Otherwise it’s not suspicious.

I am not convinced, why would an entry appear in the default value of the run section of the registry on all the machines on our network if this is the case (on one machine the entry was under a value name of xx). And if it is a genuine Microsoft file why is there no mention of it on the knowledge base or anywhere on the internet searchable by Altavista?

Any ideas anyone? No damage has been caused but I am concerned it could be in the future if we do not get to the bottom of this.

When I refer to the run section of the registry I mean HKLM/Software/Microsoft/Windows/CurrentVersion/Run

Thanks
Nigel

[This message has been edited by 0E (edited 11-27-2000).]

[patweb]

Sounds like a variant of SubSeven.G2 virus. Apparently, the infection failed in some way. It is inexplicable that the virus was propigated to the network machines. This points to a likely undiscovered version of this virus. I would treat it as this virus just in case.

Basically SubSeven is a backdoor (like WinVNC, PCAnywhere, Carbon copy functionally).

I would be concerned if the target (unproxied) PC is a Domain Controller. In this case, you might check the NETLOGON share to see if any changes were made.

[0E]

patweb,

What is it that makes you suspect that it is subseven?

Thanks
Nigel

[patweb]

1. The registry entries on all the computers.

2. The fact that it is trying to run an executable file that you don't use.

In my case, the virus used PROMON.EXE. That is a common program used by Intel Ethernet Cards. This made it difficult to identify.

If you aren't sure, you might try finding a network scanner that 'sniffs' the ports used by backdoor viruses.

I found this links- some tools/news.
http://subsevenprotection.hypermart.net/ http://iaop.pnl.gov/news.htm http://backdoored.multiservers.com/misc.html