Friday, February 2, 2007

RPCSS.EXE: Symantec Corporate Antivirus Propogating Viruses

According to some information I have found, a few years ago there was a virus that was going around that disguised itself as a running process. This process is named rpcss.exe. It can be seen running in the Windows Task Manager. I just recently dealt with a situation where a network using Symantec Antivirus Corporate Edition 10.0.2 for their antivirus needs, realized that this process was running on several machines.
Some of the initial symptoms were that administrative shares were disappearing on the servers. This in-turn makes it impossible for clients to utilize network services such as file shares and shared printers. After some investigation on the Internet for this process and these symptoms not very much came back. A couple of the web sites had information about how this process was necessary for Windows to run properly. The explanation was that this was the Remote Procedure Call process, which is a legitimate process. So we recreated all of the Administrative shares, but once an administrator logged into a server that was designated as an update server for Symantec clients all of the administrative shares disappeared again. What?
The next week was spent with no one logging into servers and a lot of speculation about group policy conflicts and profiles. Unfortunately this was not the case. The next week there was still no resolution when suddenly all of the servers starting losing their shares again. As I hurried to add the shares back in, the system was removing them faster than I could add them. Finally we gave up and just accepted temporary defeat. We contacted an associate of ours that is a Microsoft partner and he spend several hours working with Microsoft to find out what the problem was. Microsoft actually had to do some double-checking of the process to verify that it wasn't a legitimate process. Turns out it isn't. The actual file is rpcss.dll - not .exe!
All of the symptoms that we have found include
  • Registry entries for Microsoft Web Live and rpcss.exe
  • Hidden operating system file in the System32 folder
  • Symantec Corporate Antivirus 10.0
  • MSConfig entry to run at startup
Seems that this virus is propagating itself through the Symantec Update Engine. This means that each time the server and/or the client updates itself, it is actually downloading the virus, not new updates. One way to check this is to see if the antivirus software has updated itself recently, if not try to update it and if that doesn't work, better start looking at the running processes.
To clean the virus, if Symantec is installed stop and disable all of the Symantec services. Then kill the running process through the Windows Task Manager. Search the registry for rpcss.exe and delete all instances of this from the registry (use at your own risk!). Finally, find the file by searching hidden files and protected operating system files and delete it.
After rebooting your machine should be clean, uninstall Symantec and get something else. Unfortunately, Symantec is not admitting that this is a problem and since it only affects this version of their product and no other manufacturer's product, nothing has been written up about it. Microsoft said that it may be a key logger (change your passwords if you have been exposed to this virus) and that it sends that information out to the Internet somewhere - great.

No comments: