Win32:RPCexploit [Trj]

[jadeite100]

Hi All:

I am using Avast 4.8 Home Edition.
I am running Windows Vista 32 bite operating system with the latest windowsupdate.
I have a vmware 6.04
A have a Vista Firewall Control 32 bite in addition to the firewall that comes with Windows Vista.
My guest operating system is running windows 2000 server sp4. I update the guest since January 1,2008.
I scan the guest through Avast home addition and it shows no virus in the "Vmware Virtual Disk File".
My laptop is connecting to the internet directly from the dsl modom. It is not connecting from wireless router.
I did a windowsupdate.microsoft.com. It install 59 security updates on the windows 2000 server guest operating system.
I disconnect from the internet and scan the vmware file "Vmware Virtual Disk File" through "Scan archive file" and it shows the following infection:


* Task 'Simple user interface' used
* Started on February-22-09 3:03:25 PM
* VPS: 090221-0, 21/02/2009
*

G:\Win2000MdtsMay12\Desktop.ini

• is OK

G:\Win2000MdtsMay12\vmware-0.log

• is OK

G:\Win2000MdtsMay12\vmware-1.log

• is OK

G:\Win2000MdtsMay12\vmware-2.log

• is OK

G:\Win2000MdtsMay12\vmware.log

• is OK

G:\Win2000MdtsMay12\vm_folder.ico

• is OK

G:\Win2000MdtsMay12\win2000Serv.nvram

• is OK

G:\Win2000MdtsMay12\win2000Serv.vmsd

• is OK

G:\Win2000MdtsMay12\win2000Serv.vmx

• is OK

G:\Win2000MdtsMay12\win2000Serv.vmx.bak

• is OK

G:\Win2000MdtsMay12\win2000Serv.vmxf

• is OK

G:\Win2000MdtsMay12\Windows 2000 Server.vmdk [L] Win32:RPCexploit [trj] (0)
File was successfully deleted...
Infected files: 1
Total files: 12
Total folders: 1
Total size: 19.9 GB

*
* Task stopped: February-22-09 3:33:28 PM
* Run-time was 30 minute(s), 3 second(s)
*

Before I update the guest operating system, I did a boot  time scan on the parent operating system which is Windows Vista and it shows no virus.

So how did I get the virus Win32:RPCexploit [trj]  after I did a windowsupdate.microsoft.com. Is this virus coming from Microsoft web site?

Yours,t

Frustrated.

[Lisandro]

No, it could be just a false positive... Indeed, I won't scan the vmware disk file... it's inert, takes a lot to be scanned and could be issued with false positives. I think it's safe to ad *.vmdk files to the avast exclusion lists.
But, I can't answer your questions directly, sorry.

[jadeite100]

No, it could be just a false positive... Indeed, I won't scan the vmware disk file... it's inert, takes a lot to be scanned and could be issued with false positives. I think it's safe to ad *.vmdk files to the avast exclusion lists.
But, I can't answer your questions directly, sorry.

Hi :

Thank you for replying so fast.
I don't think it could be a false positive because I did update on other vmware workstation to use the latest microsoft patches and it didn't have a Win32:RPCexploit [trj] virus detected by Avast. Could this virus Win32:RPCexploit [trj] somehow could be sleeping in my vmware workstation and suddenly becomes awaken with the windowsupdate under certain conditions. In this vmware workstation I have to change the date from 2/2/2006 to the latest date 2/22/2009. The other vmware workstations I didnot have to change the date to the latest date before I did a windowsupdate.

Yours,

Frustated.

[Lisandro]

Could this virus Win32:RPCexploit [trj] somehow could be sleeping in my vmware workstation and suddenly becomes awaken with the windowsupdate under certain conditions.

It's possible, but does avast run into the vmware guest OS detect it or not? If only at the host avast will detect it, I continue to think in a false positive.

[jadeite100]

Could this virus Win32:RPCexploit [trj] somehow could be sleeping in my vmware workstation and suddenly becomes awaken with the windowsupdate under certain conditions.

It's possible, but does avast run into the vmware guest OS detect it or not? If only at the host avast will detect it, I continue to think in a false positive.

Hi :

 

Thank you for replying so quickly.

Inside the vmware(guest operating system) I used McAfee to scan for the virus but it couldn't find it.

But when I scan it outside using Avast to scan archive or zip file it found the virus.

 How do I know there is really this virus in my guest operating system?

I did a search on vmware forum for this virus and it seem to happen to other people too. Some forum says this virus occur because there is a security bug in older versions of vmware and you should get the latest version of workstation and also the vmware tools install in the guest operating system. I did all of that and I still get this virus when I do a microsoft update. I have 10 different vmware guest workstations. I scanned them outside of the guest operating system using Avast and it shows no virus. But for some reason when I do  a windowsupdate on all ten guest operating system some of the guest operating system gets infected by the Win32:RPCexploit(Trj) trojan virus and some don't.

I planned to installed the "Sygate Personal Firewall" in the guest operating system and than do a windowsupdate and see if there is an application trying to access outside of the guest operating system.

Is there a way to prevent the virus Win32:RPCexploit from infecting my guest operating system.

 

Yours,

 

Frustrated.

[Lisandro]

How do I know there is really this virus in my guest operating system?

Submit the file within the guest OS to www.virustotal.com.

Is there a way to prevent the virus Win32:RPCexploit from infecting my guest operating system.

If it is a real (correct) detection, uninstall McAfee from your guest and install avast.
avast will detect and block the infection.

[jadeite100]

How do I know there is really this virus in my guest operating system?

Submit the file within the guest OS to www.virustotal.com.

Is there a way to prevent the virus Win32:RPCexploit from infecting my guest operating system.

If it is a real (correct) detection, uninstall McAfee from your guest and install avast.
avast will detect and block the infection.

Hi:

This is a question for Avast support.
I scanned my vmware workstation file using Avast 4.8 Home Editon before I update the patches in the guest operating system using windowsupdate.microsoft.com and it did not find any virus. In addition I use avast Virus cleaner" to check and there were no virus.  After I did the windowsupdate I close the vmware guest operating system and scan it with Avast 4.8 Home Edition and it found the Win32:RPCexploit [trj]  worm. I open the guest operating system and run  "Avast Virus Cleaner Tool" and it didnot find the Win32:RPCexploit [trj]  worm. In addition, I instead the server version of Avast Server Edition and did a dos-prompt boot scan and it did not find the Win32:RPCexploit [trj]  virus. In addition, I did a full scan using Avast Server Edition including scanning archive or zip files and it didnot find the Win32:RPCexploit [trj]  worm.

So, the vmware guest operating system is a vmd file, how does Avast Home Edition determine it has a worm called Win32:RPCexploit [trj]  inside it. I will like to submit the file but I can't because it is 20 Gigabytes in size.

Question is do I have a virus or not?

Yours,

Desperate

[igor]

I have 10 different vmware guest workstations. I scanned them outside of the guest operating system using Avast and it shows no virus. But for some reason when I do  a windowsupdate on all ten guest operating system some of the guest operating system gets infected by the Win32:RPCexploit(Trj) trojan virus and some don't.

When you scan a vmware image from "outside", the whole virtual disk is scanned - i.e. including parts that correspond to free disk space (that may have contained something previously).
So, I can imagine that Windows Update may have downloaded e.g. the Microsoft malware removal tool and it (maybe) contains the signatures for RPC exploit... then the files are deleted, but when you stop the machine and scan its image from ouside, avast! finds the signature in the (now free) disk blocks.

I'd suggest not to worry about it... and possibly exclude the vmware images from avast! scanning; it's better to scan the machine from inside, scanning the image file won't give you reasonable results.

[Lisandro]

Thanks Igor.

[jadeite100]

I have 10 different vmware guest workstations. I scanned them outside of the guest operating system using Avast and it shows no virus. But for some reason when I do  a windowsupdate on all ten guest operating system some of the guest operating system gets infected by the Win32:RPCexploit(Trj) trojan virus and some don't.

When you scan a vmware image from "outside", the whole virtual disk is scanned - i.e. including parts that correspond to free disk space (that may have contained something previously).
So, I can imagine that Windows Update may have downloaded e.g. the Microsoft malware removal tool and it (maybe) contains the signatures for RPC exploit... then the files are deleted, but when you stop the machine and scan its image from ouside, avast! finds the signature in the (now free) disk blocks.

I'd suggest not to worry about it... and possibly exclude the vmware images from avast! scanning; it's better to scan the machine from inside, scanning the image file won't give you reasonable results.

Hi:

Thank you for your advice !!!
Greatly appreciated!!
I have installed about 59 windowsupdate on my computer and I belived the "Microsoft malware removal tool " was also installed. Can you tell me what the Windows 2000 Hotfix number is for "Microsoft malware removal tool " because when I loadded at "Add/Remove Programs" there are hundreds of Windows 2000 Hotfix with a number like KB926436". I google on the internet but couldn't find the "Windows 2000 Hotfix Number" for the "Microsoft malware removal tool " tool.

Does anybody knows what the "Windows 2000 Hotfix number" for "Microsoft malware removal tool " ??

Thank you for your suggestions.
Once I find out what the "Windows 2000 Hotfix number" for "Microsoft malware removal tool " I planned to uninstall it and rescan the vmware .vmd file using Avast 4.8 Home Edition and it should not give me the "Win32:RPCexploit [Trj" virus right.

Yours,

Frustrated.

[igor]

Well, I mentioned the malware removal tool as an example... I am not sure it's caused exactly by this (though it's kinda likely).
Deleting/uninstalling the file may not help - the (virtual) disk sectors are marked as unused, but the content remains, i.e. it may still be detected from outside.

[jadeite100]

Hi:

You mean even if I managed to uninstall this "Microsoft Malware tool", Avast Home Edition will still give me this false positive about "Win32:RPCexploit [trj] ". If that is the case, shouldn't there be an update on Avast Home Edition for not giving this false positive.
Would this be considered a bug on behalf of "Avast". I can ignore this error but I wouldn't know if I really have the actual "Win32:RPCexploit [trj] " virus. If my guest operating system was really infected by this virus than I would be really in trouble because I would be thinking it is a false positive.

Yours,

Frustrated.

[Lisandro]

Erase your unused drive space installing Eraser in the guest machine, right clicking the drive, choosing the new context menu entry, choose one pass only (options) to make it faster.
http://www.heidi.ie/node/14

[Lisandro]

Shouldn't there be an update on Avast Home Edition for not giving this false positive.

No. If it is really a malware unencrypted signature, avast should detect it.