McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

-- Update 11 May 2004--
W32/Sasser.worm.f is proactively detected as Exploit-DcomRpc with the 4288 DAT files and 4.2.40+ scan engine. This detection requires the scanning of compressed executables to be enabled. (VirusScan 7 and above provides the ability to disable this option, however it is enabled by default).
--

-- Update 21 April 2004 --
W32/Blaster.worm.k is proactively detected as Exploit-DcomRpc with the 4289 DAT files and 4.1.60+ scan engine. This detection requires the scanning of compressed executables to be enabled.(VirusScan 7 and above provides the ability to disable this option, however it is enabled by default).

-- Update 13 Aug 2003 --
W32/Lovsan.worm.c is proactively detected as Exploit-DcomRpc with the 4283 DAT files and 4.1.60+ scan engine. This detection requires the scanning of compressed executables to be enabled (VirusScan 7 provides the ability to disable this option, however it is enabled by default).

-- Update 11 Aug 2003 --
W32/Lovsan.worm is proactively detected as a variant of Exploit-DcomRpc with the 4283 DAT files and 4.1.60+ scan engine. This detection requires the scanning of compressed executables to be enabled (VirusScan 7 provides the ability to disable this option, however it is enabled by default).

-- Update 08 Aug 2003 --
A popular DCOM RPC vulnerability scanner is detected with the 4283 DAT files as the Exploit-DcomRpc trojan.

File details
• Name: RetinaRPCDCOM.exe
• Size: 794,624 bytes
• Description: Retina Scanner
• Company: eEye Digital Security
• MD5:0x52EB5902772808F56D42D761BDF47E11

This detection occurs as a result of enhanced exploit detection in the DAT files and the Retina Scanner's use of exploit code as a means to assess the vulnerability state of target systems. The intention of this scanner is not malicious. However, AVERT does recognize the ability for an attacker to use this beneficial tool in a malicious manner. For this reason, the 4285 DAT file will contain detection for this tool as a "Potentially Unwanted Program".

-- Update 07 Aug 2003 --
In 4283 DATs AVERT has made this detection as generic as possible to enhance the proactive protection from any malware based on exploitation of MS03-026 vulnerability. If you have a sample detected as Exploit-DcomRpc please submit it to AVERT . (Please also do the same if you believe any program is incorrectly identified as Exploit-DcomRpc.)
--

This detection covers exploit tools that makes use of the RPC Interface Buffer Overflow (7.17.03) vulnerability also known as MS03-026.

These exploit tools may, for example, create a remote shell to provide access to a compromised system or execute alien code on the remote computer.

Symptoms

N/A This is an attack tool, to exploit vulnerable remote systems.

Method of Infection

N/A

Removal

All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

Characteristics -

-- Update 11 May 2004--
W32/Sasser.worm.f is proactively detected as Exploit-DcomRpc with the 4288 DAT files and 4.2.40+ scan engine. This detection requires the scanning of compressed executables to be enabled. (VirusScan 7 and above provides the ability to disable this option, however it is enabled by default).
--

-- Update 21 April 2004 --
W32/Blaster.worm.k is proactively detected as Exploit-DcomRpc with the 4289 DAT files and 4.1.60+ scan engine. This detection requires the scanning of compressed executables to be enabled.(VirusScan 7 and above provides the ability to disable this option, however it is enabled by default).

-- Update 13 Aug 2003 --
W32/Lovsan.worm.c is proactively detected as Exploit-DcomRpc with the 4283 DAT files and 4.1.60+ scan engine. This detection requires the scanning of compressed executables to be enabled (VirusScan 7 provides the ability to disable this option, however it is enabled by default).

-- Update 11 Aug 2003 --
W32/Lovsan.worm is proactively detected as a variant of Exploit-DcomRpc with the 4283 DAT files and 4.1.60+ scan engine. This detection requires the scanning of compressed executables to be enabled (VirusScan 7 provides the ability to disable this option, however it is enabled by default).

-- Update 08 Aug 2003 --
A popular DCOM RPC vulnerability scanner is detected with the 4283 DAT files as the Exploit-DcomRpc trojan.

File details
• Name: RetinaRPCDCOM.exe
• Size: 794,624 bytes
• Description: Retina Scanner
• Company: eEye Digital Security
• MD5:0x52EB5902772808F56D42D761BDF47E11

This detection occurs as a result of enhanced exploit detection in the DAT files and the Retina Scanner's use of exploit code as a means to assess the vulnerability state of target systems. The intention of this scanner is not malicious. However, AVERT does recognize the ability for an attacker to use this beneficial tool in a malicious manner. For this reason, the 4285 DAT file will contain detection for this tool as a "Potentially Unwanted Program".

-- Update 07 Aug 2003 --
In 4283 DATs AVERT has made this detection as generic as possible to enhance the proactive protection from any malware based on exploitation of MS03-026 vulnerability. If you have a sample detected as Exploit-DcomRpc please submit it to AVERT . (Please also do the same if you believe any program is incorrectly identified as Exploit-DcomRpc.)
--

This detection covers exploit tools that makes use of the RPC Interface Buffer Overflow (7.17.03) vulnerability also known as MS03-026.

These exploit tools may, for example, create a remote shell to provide access to a compromised system or execute alien code on the remote computer.

Symptoms

Symptoms -

N/A This is an attack tool, to exploit vulnerable remote systems.

Method of Infection

Method of Infection -

N/A

Removal -

Removal -

All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A