General discussion

  • Creator
  • #2317913

    Need a RPC/msblast ‘white virus


    by andrew cooke ·


    Has anyone seen a ‘white’ virus in yet ?

    I am the unlucky person to inherit a network with a mix of computers from different orgs and OS/SPs etc.

    I have been using psexec for those machine I have admin rights on. However a larger portion of the scanned subnet is not.

    I am looking for a program that exploits the RPC hole to install a patch. Has anyone seen this yet ?

    I recall a CodeRed version that was around and there was lots of people upset because people were exploting systems to fix them..

    Please let me know if you can help I only want to use this tool on the network, I am sure others are in the same situation !!

All Comments

  • Author
    • #3543556

      Reply To: Need a RPC/msblast ‘white virus

      by joseph moore ·

      In reply to Need a RPC/msblast ‘white virus

      Umm, this is a loaded question.
      So far, no, there is not a version out there that performs the exploit to then patch the exploit. Nor is there a tool (that I have heard of) that performs the exploit to then fix it.
      I do know of what you refer to. There was a SQL Server worm that searched out for SQL Servers with blank SA passwords; it then set the password to a random 4-digit number. Sure, your SA account then had a password, but the worm did not tell you what it was! So, it was a mixed blessing.
      I am NOT a fan of a worm/virus that fixed what it was exploiting. To let something loose like that in a network is, IMO, irresponsible.

      So, here is my though. If you cannot get physical access to the machines (or remote access using PSEXEC or some other remote control tool), then why not download one of the RPC exploit tools? You could get a command line based tool that performs the RPC exploit, then you could command the target machine to download the patch file and run it.
      So, you would be using an exploit tool to then perform healthy system maintenance, I guess.

      Now, I do have some links to a couple different versions of tools like this. But I am not comfortable posting them in this forum (in case someone with evil intensions reads it and gets the tool for evil).
      Also, I really don’t know if your own intentions are noble or not!

      So, if you want the links to the exploit tools, send me a message via the Peer Diretory.

    • #3543048

      Reply To: Need a RPC/msblast ‘white virus

      by dmiles ·

      In reply to Need a RPC/msblast ‘white virus

      Symantec Security Response has developed a removal tool to clean infections of W32.Welchia.Worm.

      What the tool does

      The W32.Welchia.Worm Removal Tool does the following:

      Terminates the W32.Welchia.Worm viral processes.
      Deletes the W32.Welchia.Worm files.
      Deletes the registry values that W32.Welchia.Worm added.
      Deletes the services created by W32.Welchia.Worm.

      Available command-line switches for this tool



      /HELP, /H, /?
      Displays the help message.

      Disables the registry repair. (We do not recommend using this switch).

      /SILENT, /S
      Enables the silent mode.

      /LOG= Creates a log file where is the location in which to store the tool’s output. By default, this switch creates the log file, FixWelch.log, in the same folder from which the removal tool was executed.

      Scans the mapped network drives. (We do not recommend using this switch. See the following Note.)

      Forces the tool to immediately start scanning.

      /EXCLUDE= Excludes the specified from scanning. (We do not recommend using this switch.)

      Note: Using the /MAPPED switch does not ensure the complete removal of the virus on the remote computer, because:
      The scanning of mapped drives scans only the mapped folders. This may not include all the folders on the remote computer, which can to lead to missed detections.
      If a viral file is detected on the mapped drive, the removal will fail if a program on the remote computer uses this file.

      Therefore, you should run the tool on every computer.

      Obtaining and running the tool

      Note: You must have administrative rights to run this tool on Windows NT 4.0, Windows 2000, or Windows XP.

      Download the FixWelch.exe file from:
      Save the file to a convenient location, such as your downloads folder or the Windows desktop (or removable media known to be uninfected).

    • #2746970

      Reply To: Need a RPC/msblast ‘white virus

      by andrew cooke ·

      In reply to Need a RPC/msblast ‘white virus

      This question was closed by the author

Viewing 2 reply threads