This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.
This signature detects an attack that is being conducted against the Microsoft RPC DCOM service.
There are numerous vulnerabilities associated with Microsoft's RPC DCOM service. This signature represents patterns associated with various publicly available RPC DCOM attacks. Events associated with this attack warrant immediate attention, and users are encouraged to audit the status of all machines with the RPC service enabled.
Microsoft Windows supports a Remote Procedure Call (RPC) application programmer's interface (API) that allows applications to share publicly available objects in a distributed computing environment (DCE). RPCSS is the service that carries out the communication that takes place through the specified API.
One of the more notable vulnerabilities associated with this service is a denial-of-service condition that exists in the RPCSS service. This issue is due to a failure of the application to properly handle malformed network messages.
The problem presents itself when the malformed messages are handled by the affected service. Exceptional conditions triggered by the malformed messages cause a failure of the application to free previously acquired heap memory. After processing a number of offending messages, the process will be unable to allocate more memory for incoming network data and a denial-of-service condition will be triggered.
The issue specifically deals with the processing of packets reporting extremely large length. After DCOM processes the request, it is passed to the Activation class of functions residing in 'rpcss.dll'. Here memory is allocated to store the information; the size of memory allocated is derived from the 'length' field of the message. If the specified length is larger than the memory pool of the source buffer, an exception will be triggered. In this case the memory that was allocated will not be freed, causing a memory leak that will trigger a denial-of-service condition.
Successful exploitation of this issue may allow a remote attacker to cause the affected server to crash or stop responding. On Microsoft Windows 2000, XP, and Server 2003 this will cause the affected system to reboot; on all other Windows platforms the system will have to be manually rebooted. It is currently not known whether this issue could be leveraged to execute arbitrary code on the affected system.
It has been observed that W32.Gaobot and W32.RXBot worms exploit this issue to propagate.
Avaya DefinityOne Media Servers
Avaya IP600 Media Servers
Avaya S3400 Message Application Server
Avaya S8100 Media Servers
Microsoft Windows 2000 Advanced Server SP1, SP2, SP3, SP4
Microsoft Windows 2000 Datacenter Server SP1, SP2, SP3, SP4
Microsoft Windows 2000 Professional SP1, SP2, SP3, SP4
Microsoft Windows 2000 Server SP1, SP2, SP3, SP4
Microsoft Windows 2000 Server Japanese Edition
Microsoft Windows 2000 Terminal Services SP1, SP2, SP3, SP4
Microsoft Windows NT Enterprise Server 4.0, 4.0 SP1, 4.0 SP2, 4.0 SP3, 4.0 SP4, 4.0 SP5, 4.0 SP6, 4.0 SP6a
Microsoft Windows NT Server 4.0, 4.0 SP1, 4.0 SP2, 4.0 SP3, 4.0 SP4, 4.0 SP5, 4.0 SP6, 4.0 SP6a
Microsoft Windows NT Terminal Server 4.0, 4.0 alpha, 4.0 SP1, 4.0 SP2, 4.0 SP3, 4.0 SP4, 4.0 SP5, 4.0 SP6
Microsoft Windows NT Workstation 4.0, 4.0 SP1, 4.0 SP2, 4.0 SP3, 4.0 SP4, 4.0 SP5, 4.0 SP6, 4.0 SP6a
Microsoft Windows Server 2003 Datacenter Edition
Microsoft Windows Server 2003 Datacenter Edition Itanium
Microsoft Windows Server 2003 Enterprise Edition
Microsoft Windows Server 2003 Enterprise Edition Itanium
Microsoft Windows Server 2003 Standard Edition
Microsoft Windows Server 2003 Web Edition
Microsoft Windows XP Home SP1
Microsoft Windows XP Media Center Edition
Microsoft Windows XP Professional SP1
Microsoft Windows XP Tablet PC Edition
The vendor has supplied the following workaround information: When a system is part of a network, the DCOM wire protocol enables COM objects on that system to communicate with COM objects on other systems. You can disable DCOM for a particular system to help protect against this vulnerability, but doing so will also disable all communication between objects on that system and objects on other systems. It should be noted that this workaround is only possible on Windows 2000 systems that have applied service pack 3.
Microsoft has released a security bulletin MS04-012 with fixes to address this and other issues. It should be noted that there are no fixes for Windows 95, Windows 98, nor Windows ME.