Blaster worms & others which exploiting DCOM RPC vulnerability. Discovered: 11 Aug 2003 Platform: Windows 2000, NT, XP, 2003   Exploiting the RPC DCOM Buffer Overflow :   This worm exploits the RPC DCOM BUFFER OVERFLOW, a vulnerability in a Windows Distributed Component Object Model (DCOM) Remote Procedure Call (RPC) interface, to infect remote machines. The vulnerability allows an attacker to gain full access and execute any code on a target machine, leaving it compromised. Note:   On Windows XP and 2003, when the DCOM RPC attack takes place, the Remote Procedure Call (RPC) service stops and cause NTAUTHORITY\SYSTEM to reboot the machine in 60 seconds (this is a new security mechanism in XP/2003). The machine restarts when the RPC service is under attack. To prevent the system from restarting, please apply the Microsoft DCOM RPC patch. On Windows 2000, when the DCOM RPC attack takes place, the Remote Procedure Call (RPC) service stops and it does NOT reboot automatically. Since many services depend on RPC, it is given that some services might not work properly. Buffer Overrun In RPC Interface Could Allow Code Execution (823980)  - Microsoft Security Bulletin MS03-026. Originally posted: July 16, 2003. Revised: September 10, 2003  - Note: The fix provided in MS03-039 supersedes the one included in Microsoft Security Bulletin MS03-026 as well as MS01-048   Blaster Worm Analysis by eEye Digital Security  - Release Date: 11 Aug 2003  - (***Excellent. Great technical details. But no description on the symptoms of infected PCs.)   What You Should Know About the Blaster Worm and Its Variants (source: Microsoft Security. Last Updated 22 August 2003)   Detecting network traffic that may be due to RPC worms (source: Symantec. Last Updated on: 12 Sep 2003)   Virus Encyclopedia   WORM_MSBLAST.A (Aliases: MSBLASTER, Worm.Win32.Lovesan, W32/Lovsan.worm, W32/Blaster-A, W32.Blaster.Worm) (source: Trend Micro. Discovered: 11 Aug 2003.  Pattern file needed: 676)   WORM_MSBLAST.B (Aliases: W32/Blaster, Worm.Win32.Lovesan, Win32.HLLW.LoveSan.11296) (source: Trend Micro. Discovered: 13 Aug 2003. Pattern file needed: 676)   WORM_MSBLAST.C (Aliases: W32.Blaster.C.Worm, Win32:Blaster-C) (source: Trend Micro. Discovered: 13 Aug 2003. Pattern file needed: 676)   WORM_NACHI.A (Aliases: nachia, Win32.Nachi.Worm, Welchia, W32.Welchia.Worm, W32.Nachi.worm, W32/Nachi-A) (source: Trend Micro. Discovered: 18 Aug 2003. Pattern file needed: 614)   WORM_MSBLAST.E (Aliases: W32/Msblast.E, W32.Blaster.Worm, Worm.Win32.Lovsan, Blaster.A) (source: Trend Micro. Discovered: 29 Aug 2003. Pattern file needed: 676)   WORM_MSBLAST.F (Aliases: Worm.Win32.Lovesan, Blaster.F) (source: Trend Micro. Discovered: 1 Sep 2003. Pattern file needed: 676)   WORM_MSBLAST.G (Aliases: W32.Blaster.Worm, Worm.Win32.Lovsan) (source: Trend Micro. Discovered: 19 Sep 2003. Pattern file needed: 637)