Worm.exe is a self-extracting archive that will create rpc.exe, rpctest.exe and
tftp.exe.
Tftp.exe is a normal tftp server utility.
Rpctest.exe and rpc.exe are part of autorooter.zip tool, released around 30th
of June. Rpctest.exe uses the known RPC exploit to spawn a remote shell which
listens at TCP port 57005. It contains the text "USE THE FORZ LUKE!"
Rpc.exe contains text "rpc autorooter by ERIC". These programs are
written which Microsoft Visual Basic.
Dcomx.exe and lolx.exe are based on older backdoors and
are already detected by F-Secure Anti-Virus as variants of "Sdbot". For more
information on Sdbot irc-based backdoors, see:
http://www.f-secure.fi/v-descs/sdbot.shtml
So, all files are accounted for. There's no worm here. If somebody would be sitting
at the IRC channel and giving commands manually to affected machines, he could get
the tool propogated from one machine to another. But that wouldn't be automatic.
We recommend all users apply the Microsoft patch (available from the above Microsoft
link). Also, blocking TCP ports 135, 139 and 445 in your local firewall will help.
F-Secure Distributed Firewall blocks these by default.
[Analysis: Gergo and Mikko, F-Secure Corp, 2nd of August 2003]
![](/images/pixel.gif"){kind=tracking}
