[Dshield] connection between svchost errors and RPC/DCOM expl oit

Craig Shaw CraigS at caamb.mb.ca
Tue Aug 12 19:18:35 GMT 2003


I don't know the details, but I do know that the DCom exploit manifests
itself as a problem with SVCHost. Patched systems are still vulnerable to a
DOS condition, and pre-SP3 Win2K systems that have the DCom service disabled
are still vulnerable until a reboot.

Craig Shaw
Systems Administrator
CAA Manitoba
(204) 262-6035
craigs at caamanitoba.com

-----Original Message-----
From: Hill, Keith [mailto:Keith.Hill at occ.treas.gov] 
Sent: 12-Aug-03 13:17
To: 'list at dshield.org'
Subject: [Dshield] connection between svchost errors and RPC/DCOM exploit

Does anyone have additional information regarding the link between the
current RPC exploit and the an error message - svchost.exe "can't read
memory" error and the loss of right click functions?  I haven't seen this
information in any of the AV lists or the Microsoft information.  I did see
some discussion on the Expert's exchange board that appears to link them.
So far only one of my numerous groups has seen the svchost error and all
those devices were unpatched.  Other groups had computers that were infected
but did not experience the svchost error.


Keith Hill
kjhill at cox.net
(703) 599-8133
This message is for the designated recipients only and may contain sensitive
or confidential information. If you have received this message in error,
please notify the sender immediately and delete the original and all copies.
If you received this message in error or are not a designated recipient,
information in this message should not be disclosed and any use of the
information is prohibited.

list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:

More information about the list mailing list