MS-RPC: DCE-RPC Remote "atsvc" Rundll32.exe Job

This signature detects remote attempts to issue commands to rundll32.exe through the "atsvc" service. Worms and other malicious programs can use this service to execute programs remotely. However, network administrators can also use this service legitimately inside a secured network to assist with remote administration.

Extended Description

Microsoft Windows is prone to a remote code-execution vulnerability that affects RPC (Remote Procedure Call) handling in the Server service. An attacker could exploit this issue to execute arbitrary code with SYSTEM-level privileges. Successful exploits will result in the complete compromise of vulnerable computers. This issue may be prone to widespread automated exploits. Attackers require authenticated access on Windows Vista and Server 2008 platforms to exploit this issue. This vulnerability affects Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.

Affected Products

Avaya messaging_application_server,Microsoft windows_server_2008_for_itanium-based_systems

References

BugTraq: 31874

URL: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/taskschd/taskschd/about_the_task_scheduler.asp http://archives.neohapsis.com/archives/win2ksecadvice/2000-q4/0126.html http://www.viruslist.com/en/viruses/encyclopedia?virusid=21782725

Short Name

MS-RPC:ATSVC-RUNDLL

Severity

Major

Recommended

False

Recommended Action

None

MS-RPC: DCE-RPC Remote "atsvc" Rundll32.exe Job

Extended Description

Affected Products

References

Found a potential security threat?