Forgot your password?
typodupeerror
Windows Operating Systems Software Security

RPC DCOM Worm On The Loose 604

Posted by simoniker
from the uh-oh-spaghettios dept.
GPez writes "The first of I'm sure many RPC DCOM worms affecting Windows is on its way, according to the Internet Storm Center. Patch those systems!" According to the site, "The worm uses the RPC DCOM vulnerability [affects Win2k through Server 2003] to propagate. Once it finds a vulnerable system, it will spawn a shell on port 4444 and use it to download the actual worm via tftp."
This discussion has been archived. No new comments can be posted.

RPC DCOM Worm On The Loose

Comments Filter:
  • Port 4444 (Score:1, Interesting)

    by John Hurliman (152784) on Monday August 11, 2003 @05:00PM (#6669273) Homepage
    Is it opening a shell on port 4444 or a tftp server?
  • this vunerability... (Score:5, Interesting)

    by garcia (6573) * on Monday August 11, 2003 @05:01PM (#6669286) Homepage
    if you use this vunerability against someone (usually people that hit your web server with /default.ida) you get access to a C:\ prompt. You can look around, run format, etc.

    It's quick to crash the machine (apparently) as the remote becomes unusable (pingable though).

    It's actually pretty nasty from what I have seen... I just wonder how effective the worm will be when the machine becomes unresponsive after a few commands?

    Perhaps it won't spread as fast as others because of this problem? I suppose we can hope.
  • by Sorthum (123064) on Monday August 11, 2003 @05:11PM (#6669396) Homepage
    Are the calls mostly centered around actual problems, or is it users doing their famous "I heard about the RPC bug, and now my computer won't boot!" routine? When Code Red came out, for instance, we saw everything from bad disks to dialup issues being blamed on it, solely because people didn't listen to anything past "the world is calling" chicken-littleisms.
  • Agreed (Score:2, Interesting)

    by ttyp0 (33384) on Monday August 11, 2003 @05:11PM (#6669402) Homepage
    All our desktop computers are Windows, and simply have too many users to try and keep everyone patched. So instead, block all incoming ports on the firewall, and voila. Why this isn't standard practice is beyond me.

    Anti SCO T-Shirt [anti-tshirts.com]. $1 donated to OSI Fund on each shirt.

  • SP3? (Score:4, Interesting)

    by poptones (653660) on Monday August 11, 2003 @05:17PM (#6669465) Journal
    Are there really that many win2k systems not even running SP3? That's not the only fix, but I have a box here that has had zero patches except SP3 and DCOM is disabled by default - which pretty much makes this "buffer overflow" a non issue. Doesn't XP also install (by default) DCOM disabled? So where is all this traffic coming from? People too nervous to install SP3? People too stubborn to stop using NT4?
  • by Zathrus (232140) on Monday August 11, 2003 @05:17PM (#6669468) Homepage
    One of my coworkers thought that as well.

    He was monkeying around on his RH8 box, was having network issues and setup the box as DMZ on the firewall. Later he rebooted to Win2k (on the same system, setup for the same IP). His entire network got hit with Slammer because of this. It took him the better part of a week to fix all of his boxes afterwards.

    As others have said, a firewall is only part of the solution. Shutting down non-essential services/daemons, keeping up to date on patches, and in general knowing what the hell you're doing are other parts of the solution.
  • by brandonY (575282) on Monday August 11, 2003 @05:23PM (#6669518)
    My girlfriend called me not 20 minutes before this article went up asking what RPC was and why it was shutting her computer down whenever she got on the Internet. A quick glance at this article's headline followed by a thorough read of symmantec's removal instructions led to me calling her back and another day saved! Thanks, Slashdot! Thanks, Symmantec Security Response Team!
  • This is just sick. (Score:1, Interesting)

    by dodell (83471) <dodell AT sitetronics DOT com> on Monday August 11, 2003 @05:23PM (#6669522) Homepage
    I don't really look at Windows security updates, but why the HELL don't they put these patches on Windows Update [windowsupdate.com]? The reason that these worms spread is because NORMAL people (and idiot sysadmins) don't go and read these security updates.

    I have WinXP SP1 installed, with all the updates and critical security fixes installed. I just go look here and I see that there are 21 extra updates I should install. All of them are remote exploits as well.

    I will say that I am surprised, I thought I had been staying up-to-date. I don't do Windows server administration, so I didn't know about these. I Windows for my desktop, naturally. But I really don't understand why they don't go ahead and put this crap on Windows Update? Are they afraid of the bad press? Everyone and their goldfish knows that MS is insecure anyway, they may as well put it there.

    Bleh. Why didn't /. cover the other 20 of these things?
  • by hey (83763) on Monday August 11, 2003 @05:25PM (#6669540) Journal
    Sure there's a bug now. But Microsoft picking DCE RPC for DCOM was a nice thing for the open source community since its a documented protocol. There's a project supporting it on Linux: freedce [sourceforge.net]. I have used freedce to communicate between Linux and Windows. It's nice.
  • by Anonymous Coward on Monday August 11, 2003 @05:25PM (#6669544)
    have a look at : http://security.tombom.co.uk/shatter.html
    it is worth reading.......
  • You got the grsec patches compiled in, and a nice tight set of ACLs? Now **that** would be tight. Kind of like ssh root@selinux.dev.gentoo.org (password gentoo). You've got to be confident to let people log in to your box as root.
  • Saved by a penguin (Score:1, Interesting)

    by Anonymous Coward on Monday August 11, 2003 @05:32PM (#6669611)

    What happens to your computer if you get this worm? My friends Xp box just went flaky, when you boot it up it says it has some kind of RPC problem then shuts down after some 30 seconds.
    I asked another friend of mine if you could just put the recovery cd in reinstall the OS, but he wasn't willing to take a chance hosing his data.
    Anyway I'm headed up to his place later today with knoppix in hand to burn him some cd's of his data so he can do a reinstall. He is freaking out since all of his invoices are on that computer and supposed to go out tommorrow. Gotta love that knoppix!
  • Re:Egress Filtering (Score:4, Interesting)

    by ThatDamnMurphyGuy (109869) on Monday August 11, 2003 @05:38PM (#6669668) Homepage
    Then again, why on earth expose these to the internet? (135, 139, or 445). Or course, internal virii catching employees are just as dangerous to your servers as the external bad guys.
  • Re:Worse (Score:3, Interesting)

    by einhverfr (238914) <chris.travers@NoSPAm.gmail.com> on Monday August 11, 2003 @05:42PM (#6669704) Homepage Journal
    And they don't block access to Slashdot? But it's full of Linux propoganda!

    No, but slashdot sometimes blocks us because some corporate loser does something stupid. Then I have to change which proxy I use....

    Andyway, due to the virus, I am really glad I am not working today, but I have had to send the msblast.exe to our virus reporting team, etc.
  • by molarmass192 (608071) on Monday August 11, 2003 @05:46PM (#6669739) Homepage Journal
    We're seeing a steady upward trend in 135 reqs too. Much worse from our backup ISP than our primary. We've got our firewalls flicking these off at the doorstep but then again they were never allowed in in the first place.
  • by troutsoup (648171) on Monday August 11, 2003 @05:49PM (#6669759) Homepage
    yeah, my girlfriend called and her machine is resetting right after she goes online (dialup) rpc errors and other stuff. its a mess even did it after killing the msblast.exe process.... fun fun fun. gotta go read up more on this to figure out how to undo it. :(
  • by ironicsky (569792) on Monday August 11, 2003 @05:55PM (#6669851) Journal
    Step 1. Shut down PC
    Step 2. Unplug Cable Modem.
    Step 3. Start up PC
    Step 4. Click Start -> Settings -> Control Panel
    Step 5. Double Click Network Connections
    Step 6. Right Click the Local Area Connection used to access Internet. Example: Local Area Connection 1
    Step 7. Select Properties
    Step 8. Click the Advanced Tab
    Step 9. Enable the Windows XP Firewall
    Step 10. Click OK, Close out of open windows.
    Step 11. Plug in the Cable Modem.
    Step 12. Ensure Block Sync is established.
    Step 13. Open Internet Explorer
    Step 14. Go to the following URL: http://www.microsoft.com/technet/default.asp
    Step 15. Click the Link toward the middle of the page titled: Action: Read Security Bulletin MS03-026 and Install the Security Patch Immediately
    Step 16. Scroll Down Page about half way to Patch Availability
    Step 17. Click Windows XP 32 bit Edition
    Step 18. Click Download in the upper right of the screen.
    Step 19. Save the file to the desktop
    Step 20. Run the downloaded file.
    Step 21. The patch will install and prompt the customer to reboot.
    Step 22. Once the patch is installed and the computer rebooted, the Windows XP firewall can be disabled
  • by Anonymous Cow herd (2036) on Monday August 11, 2003 @06:03PM (#6669961) Homepage
    It's called a firewall. It's proteced me from Nimda, Code Red, etc.

    Yes yes, I was once a smarmy know-it-all just like you, smugly thumbing my nose as the poor suckers who didn't know about complex technology like "firewalls" and whatnot to protect themselves from evil worms. Then my computer-illiterate (now ex-) girlfriend downloaded an attachment from her hotmail account and ran it manually... and that was the end of that.
  • by Tackhead (54550) on Monday August 11, 2003 @06:04PM (#6669966)
    > It looks like the worm affects svchost.exe (the Generic Host Process),

    "Uh, WTF is SVCHOST.EXE, and why the fuck does it always bind itself to 445, and how can I make it stop doing that? I don't know what it's listening for, but I know that for what I'm using this box for, I don't need it, so why can't I disable the offending process?"
    - Me, the first time I played with a W2K box.

    "So SVCHOST does too much stuff to just kill it, but how can I at least stop it from binding to 445? I know I'm not doing anything on that port, and therefore don't want any process listening for data sent to it. Period."
    - Me, after 5 minutes of trivial research.

    "Crap, it looks like there's no way to stop SVCHOST from listening to 445. Guess I'd better install my favorite cheap-azz third-party software firewall and block it there. Once I've done so, I don't give a damn if SVCHOST still listens to 445, because unless there's a buffer 'sploit in the firewall software itself, SVCHOST won't get any of the traffic anyways."
    - Me, after 5 more minutes.

    "I knew this was gonna happen."
    - Me, when I read about the DCOM hole last month.

    Security is a process, not a product. The process is "Everything is forbidden except what is permitted. Run no services other than the bare minimum required to get the box to bring up a GUI. Run no services that listen to any network traffic unless explicitly started by the user."

    Insecurity is a product, not a process. The product is "DCOM should be on by default because pointy-haired bosses won't be able to do $NEW_OFFICE_SUITE_FEATURE without it, nobody buys the OS for anything other than running Office and Outleak."

    Repeat ad nauseam with IIS on/enabled by default (CodeRed), the ActiveX/scripting settings for MSIE (Drive-by downloads), the out-of-the-box UPnP vulnerability (port 1900), popup "spam" (port 135), etc.

    Basically, every time M$ has the choice between security (Built shiny thing. Disable by default and have applications respond with an error message telling users how to turn shiny thing on if and only if the shiny thing is required by some user action), and stupidity (Oooooh, shiny thing! Enable by default and assume there are no bugs in the code anywhere!), Bill and friends have chosen stupidity.

  • by TheQuantumShift (175338) <monkeyknifefight@internationalwaters.com> on Monday August 11, 2003 @06:04PM (#6669968) Homepage
    The silly thing is that most people called back when it was announced, (thanks evening news doomsayers...), with the fear of the "hackers" all through them. Now they're acting miffed when I say "a security issue that was announced on july, has not been patched on your system"... some guy even angrily took down the long distance # for ms support, because his pirate xp wouldn't auto update...
  • Bug/Feature?? (Score:4, Interesting)

    by RonnyJ (651856) on Monday August 11, 2003 @06:15PM (#6670086)
    A lot of people seem to think the executable is bugged, crashing the RPC service and causing Windows to shutdown. Seems like a good payload to me. In my example, my computer shut down within a few minutes. This makes it exceedingly hard for people to find information and download a patch to fix it, yet at the same time, the trojan is scanning and infecting others while you're trying to fix it. I was struggling to download the patch on modem, took about 5 shutdowns until I had it. Also, at this moment, the main cable provider in the UK seems swamped with this problem, and I don't think it'll go away fast.
  • by aastanna (689180) on Monday August 11, 2003 @06:26PM (#6670190)
    because his pirate xp wouldn't auto update...
    That's actually a really good point, since microsoft won't let you autoupdate with pirated versions of the OS I bet a large percentage of home users are not going to be patched.

    I think it's pretty irresponsible of them not to allow the autoupdate really...the problem is they've created a monopoly in the home OS market, so people will pirate it, and they have a seriously flawed product, so there's no way around having a large number of flaws floating around in the uninformed general public.

    Disclaimer: I do not have a pirated copy of XP. I have a licenced version because my university made a deal with microsoft and it was free, but I use my powerbook for anything serious. Even with the autoupdate patching my system every week I still don't trust that box for anything more important than games.
  • Selinux root isn't the same as normal root.

    Oh, I know that, and you know that, but it's funny to watch people trying to install root-kits, or add new users. You want to shake them, and ask them - what are you doing - you're root already.. :)
    But once they realise they can't install their IRC bots or floodping people, they get bored.
    Oh, and why do people try and ftp to their own servers from that box?
    grep \@ .bash_history | grep \: | grep ftp
    Doh.

  • by Anonymous Coward on Monday August 11, 2003 @06:54PM (#6670501)
    Nope, you didn't screw up their system by installing software, you screwed it up by not patching it. Good work!
    Its always more convenient to blame Msft than to properly administer a system. Seriously, how difficult is windowsupdate?
  • by pclminion (145572) on Monday August 11, 2003 @06:59PM (#6670536)
    My /var/log/iptables_input_reject.log file is now a list of exploitable hosts ;-)

    I'm only KIDDING, jeez!

  • by billstewart (78916) on Monday August 11, 2003 @07:24PM (#6670740) Journal
    Blocking the various Microsoft ports will help prevent infections, but you should also block 4444 (the port the worm uses to communicate with other worms and the WormMaster) and (if it won't disrupt too much of your other activities, which it shouldn't) block tftp (which the worm uses to download attack code after getting infected.)

    That's not generic advice for the DCOM bug - for that you'll need to catch whichever of the MS ports are being abused this week. But it's guesswork advice for this particular instantiation of a worm that's exploiting it so you can at least slow down this one and isolate damage, and work on patching the actual holes in Windows so that you can prevent next week's worm that uses the same bug but some other inter-worm communication path from getting in.

    At least on the couple of machines I've looked at, TCP 4444 isn't used for anything (there's a UDP 4444 used for Kerberos 4-to-5 conversion or something.) TFTP gets used for things like uploading operating system versions to diskless PCs and routers, and still isn't something you should be accepting from the outside world, and for the most part (YMMV) is only used by administrators who are better off stomping worms first and upgrading routerware later. The Microsoft ports are used by all kinds of Microsoft applications - you almost certainly should be blocking them to and from the outside world, but whether to block them inside your internal nets, and where, is a decision you'll need to make based on how much of which MS network products you're actually using. (e.g. you don't want to kill all your thin-client PCs by killing off their mounts of the file servers - but you also don't want them infecting each other.)

  • by Anonymous Coward on Monday August 11, 2003 @07:52PM (#6670985)
    I feel sorry for anyone depending on Windoze Update. Like many M$ products it's broken, at least part of the time. I'm pasting below a couple of posts from NT BugTraq and Full-Disclosure last month discussing this:
    -----------------
    Message: 16
    Date: Wed, 30 Jul 2003 17:09:14 -0500
    From: "Schmehl, Paul L" (email address removed)
    To:
    Subject: [Full-Disclosure] Patching networks redux

    For all those experts who have mastered patching your networks, please ignore this post.

    For the rest of you, testing has shown that some patch management tools are incorrectly reporting that MS03-026 is installed when it's not (notably Windows Update and Update Expert, among others.) The accuracy of the tool depends on how they check for the patch level. If they check the registry (like Windows Update and Update Expert do) they will *incorrectly* report that MS03-026 has been installed when if fact the files have not been updated. If they do MD5 checksums (like Hfnetchk or MBSA), they will correctly report the patch level.

    The Retina tool from eEye (and I would assume the IIS commandline tool as well) is correctly reporting what *is* patched and what is *not* patched, so you need to rely on those to give you accurate information. You could actually have users going to Windows Update and finding no patches available when in fact they are still vulnerable. You could also have users for whom you've pushed out the patch who have overwritten the files with older versions, yet your tools are reporting them as patched.

    Of course the experts never have these problems, but for the mere mortals, caveat emptor.

    Paul Schmehl (email address removed)
    Adjunct Information Security Officer
    The University of Texas at Dallas

    -----------------
    http://www.ntbugtraq.com/defa ult.asp?pid=36&sid=1& A2=ind0307&L=ntbugtraq&F=P&S=&P=92 18

    MS03-026 - are you patched? Windows Update isn't sure!

    Content-Type:
    text/plain; charset="iso-8859-1"

    FYI, it is worth reminding people that some patch checking tools don't do a complete check. Windows Update doesn't check files, and it would seem that other products have problems also.

    Some tools only check for the presence of a registry key indicating that a hotfix was applied. Other tools, such as Shavlik's HFNetchk and MBSA (and others) actually check file details, including a checksum, to verify that the files in play are actually the right versions.

    I was speaking with Jeff.t.Parker @ hp.com about this issue. His observations confirm this (see below). If patched files are reverted to previous versions, for whatever reason, Windows Update and (at least in this case) Update Expert (and possibly other such tools) will incorrectly assert you have the patch applied when in fact you don't.

    He wrote in to advise that Update Expert (v6.0 build 6069) is giving erroneous results at least in some cases. After applying SP4 concurrently with MS03-026 (using Update Expert), Jeff noticed some interesting results. The resulting versions of the files contained in MS03-026 on some machines were;

    5.0.2195.6692 ole32.dll 5.0.2195.6701 rpcrt4.dll 5.0.2195.6702 rpcss.dll

    This led to Windows Update and Update Expert both reporting that the systems had MS03-026 applied (wrong). MBSA and eEye's Retina both said the systems *did not* have MS03-026 applied (right).

    While this may be a problem with the way Update Expert deploys Service Pack + Hotfix combinations, it also demonstrates the problem Windows Update has by not being able to examine file details (relying only on registry entries).

    How many systems are out there now who believe they have MS03-026 applied, can't get it offered to them from Windows Update, but in fact don't have it applied at all??

    Cheers, Russ - NTBugtraq Editor

    -----------------------
  • by Anonymous Coward on Monday August 11, 2003 @08:04PM (#6671083)
    My pirated version of XP auto updates just fine. Do all of you linux fags make this shit up?
  • by poptones (653660) on Monday August 11, 2003 @08:05PM (#6671089) Journal
    Win2K pre-SP3:

    spam popups every day; port 135 wide open, DCOM blazing away

    Post-SP3:

    no popups; port 135 still wide open, but not much there because DCOM is now DISABLED.

    Like I said: it's just a "junk box" I setup the other day because the power supply died in my "good" server box. I haven't installed the googleplex of win2k patches because I don't think it's worth it - I'm only using it temporarily and if it gets hit I'll reinstall the OS (or stick a freesco floppy in the drive and reboot). This is just something I noticed when I read today's "warning" and went into that machine to disable the offending service.

  • DSL Users beware... (Score:5, Interesting)

    by Lodragandraoidh (639696) on Monday August 11, 2003 @09:11PM (#6671514) Journal
    Just bought my wife a new XP machine - because she has been having issues with the crappy linux boxes I have given her [300mhz should be fast enough for anyone...](all of my machines are Linux - daughter has an old win98 and a linux box on kvm).

    She complained that her computer was shutting down all day - get this, I don't have any ports enabled on my router - its closed tighter than duck's ass.

    So, I'm sitting there, and she decides to turn her machine back on - a few minutes later....BAM...my whole DSL network goes down.

    So, not making the cause and effect connection, I call my local phone company. They are able to ping my DSL modem. So they go through the motions, and get me to hook up my XP machine to the network directly through the DSL modem...friggin' brilliant. I hook it up, and ...BAM! again... This time its an 'RPC' call error - 'shutting system down' message. Crap. I shut the system down and pull it completely off the network.

    I then check my linksys router - everything on it is reset to the defaults...everything. No ppoe settings, no password [its set to the default] - nada, nothing, zip.

    I reset everything, and up comes my network - thats when I browse on over to /. and see this post about the worm. I do a little forensics and find the c:\winnt\system32\msblast.exe, and c:\winnt\system32\pre[a-Z*]\msblast.exe.23oiu4i734 - I assume the pftp scratch file. Son-of-a-bitch.

    I also look for the registry entry to restart the worm - but don't find it (so far, so good). I delete the scratch file ok, but the msblast.exe file will not delete (the system says the wheel user isn't authorized - what kind of Mickey-Mouse operating system is this!!?)

    I want to know:
    1. how to clean this up?
    2. how the hell did this thing ZAP my Linksys with all the ports disabled?
    3. where the hell can I get my $99 back for this bogus operating system?
  • by roothog (635998) on Monday August 11, 2003 @09:21PM (#6671572)
    I'm a bit surprised at the number of universities hit hard by the virus. Here at the University of Wisconsin, our peering router has been blocking ports 135-139 and 445 [wisc.edu] since August 1. All students were notified by email to update their systems, for whatever good that may do.

    I suppose all it takes is a single infected laptop connected behind the router to render port blocking moot, though... At least it gave administrators of the various department networks a chance to patch their systems and mitigate damage.
  • Re:On the way? (Score:5, Interesting)

    by Sethb (9355) <bokelman@gmail.com> on Monday August 11, 2003 @10:49PM (#6672026) Homepage
    You want to know what a real University setting is like? I've worked at 2 of the 3 state Universities here, and generally it's a mishmash of 20% Win95, 40% Win98, 20% Win2000, and 20% Windows XP machines, none of which authenticate to a domain, administered by someone who started working there as a student, but was kept on after graduation because they were cheap labor.

    Patches? Well the user should take care of that, right? After all, they've got Internet Explorer, they can surely remember to visit WindowsUpdate and get patches on their own.

    Oh, AntiVirus definitions? Well, our software doesn't update those automatically, you've got to click the icon and push update every month or so, but the users can do that.

    None of the above is hyperbole, and were actually the standard practices as recently as 18 months ago.

    Heck, doing testing? That'd require a SECOND computer for each technician! That'd cost money! We can't afford to but TWO computers for one person, we're already splurging on 1 IT person per 500 computers! Oh, and we gave you 1 student who's slightly above minimum wage too. What more do you want?
  • by Spy Hunter (317220) on Tuesday August 12, 2003 @01:36AM (#6672846) Journal
    Actually, that's a different worm. I should know, I've been infected by both of these in the last week :-) I've been running an unpatched XP install on my desktop. I don't have any antivirus software installed (the only really successful worms are the ones that aren't stopped by antivirus software, what's the point?) so I have to defeat viruses myself in open combat ;-)

    Anyway, the one thing I found that killed them both is Notepad. Just open up the executable in Notepad, type a few random characters here and there, erase some things, mess up the file header, and then save right over the virus! They're never expecting that. Make sure to kill the virus processes first, of course, or else you'll get the infamous "access violation". (In the case of msconfig32.exe, you must use the command-line tools 'tasklist' and 'taskkill') The viruses might restore themselves if you remove them from the registry, or delete the file, but they're not expecting you to corrupt the executable. If Windows, in its infinite stupidity, tries to run the virus again, it will fail harmlessly.

    P.S. I know, I know, you're wondering why I'm running an unpatched XP install on my desktop. Well, I just reinstalled, and only have dialup, and I'm going back to college in a month where there's super-broadband. Downloading 30+ MB (conservative estimate) of service packs, patches, hotfixes, and updates over dialup (not even 56k, more like 28.8) seems pointless. Besides, it's interesting seeing actual virus infections happen and fixing them myself. If anything goes horribly wrong, I have my XP cd right here to reinstall again. I'll be reinstalling and patching when I get back to a real internet connection.

  • by freev (680748) on Tuesday August 12, 2003 @04:16AM (#6673330)
    It seems that it had caused a worldwide panic!

    I am a university student in China mainland, we connect to the internet via firewall of our university. in the recent days, many computers in local network were attacked by hackers using RPC vulnerability. PCs which were attacked reboot without any reason. Some displayed "scvhost.exe runtime error! The computer is going to shutdown within 60 seconds..."

    Someone told to run Dcomcnfg.exe, and disable "Windows Distributed Component Object Model " would be help. I was wondering why? and if that really works. For I have installed the patch for Windows XP, so I can't check it myself.

    ps: It is the first time to post reply on slashdot.org. :)
  • by Anonymous Coward on Tuesday August 12, 2003 @09:44AM (#6674611)
    I've just had a user report of our program crashing in a location it never should crash. The program's entirely local, not doing remote comms stuff at all. I'd just finished putting in some logging code when the user called back: don't worry, it's ok, it's probably the new worm...

    In case you get hit by this: what our program was doing was creating some classes in one (MTA) thread, using CoMarshalInterThreadInterfaceInStream to ship them over to another (STA) thread that used CoGetInterfaceAndReleaseStream to unwrap them. And suddenly CoGetInterfaceAndReleaseStream was returning null pointers!

    So now I've designed a new message into our program to deal with the case when that should-never-be-NULL pointer is NULL: "The DCOM feature of Windows is not working properly. This problem may have been caused by a virus: please check your system". I hope this strikes the right balance between informing and alarming the user...

  • by witts (552031) on Tuesday August 12, 2003 @11:44AM (#6675899) Homepage
    I've noticed that just recently the media is reporting more detail about computer viruses. In the past, they would just mention that a virus was spreading, maybe how many computers are affected, and that was about it. Now they often report the afflicted operating system, which we all know is almost always Microsoft's demon seed. Maybe the average computer user will learn that Microsoft is totally insecure and cause them to have second thoughts about upgrading to Microsoft's next great OS. But at least the media is no longer hiding this info from the public, who probably thinks that computer viruses spread to all computers equally on the Internet, and don't understand how specific viruses really are 99% of the time.

The universe is like a safe to which there is a combination -- but the combination is locked up in the safe. -- Peter DeVries

Working...