>I can confirm this. I discovered the worm when it attempted (and failed) >to infect my machine (Win XP pro) this afternoon. Immediately after >securing the firewall setting that left me vulnerable to the port 135 >attack I checked windowsupdate.microsoft.com and confirmed that I had in >fact installed the patch a few weeks earlier. While security software on >my system prevented the overflow payload from using tftp the payload >managed to terminate the RPC svchost process twice forcing a system >halt. This is similar to the effects of the WinNuke exploitation of a >similar overflow bug in RPC earlier in the year. Ditto this. I witnessed it first hand on patched systems in Win XP Pro. Scanning with SARC's Fixblast.exe confirmed NO Infection. In WinXP Pro I noted in the RPC settings that a failure of the service to start was set to reboot the system. XP Pro RPC settings allows 3 instances with differing responses. I set each of these to Take No Action. I have had no problems on any of the systems I own since nor with some of my personal clients. On another related note, my daily Deepsite Analyzer report (which normally reports no activity) came back with 111 attempts yesterday. ~S~ Disclaimer: My own two cents. Learn more about Paymentech's payment processing services at www.paymentech.com THIS MESSAGE IS CONFIDENTIAL. This e-mail message and any attachments are proprietary and confidential information intended only for the use of the recipient(s) named above. If you are not the intended recipient, you may not print, distribute, or copy this message or any attachments. If you have received this communication in error, please notify the sender by return e-mail and delete this message and any attachments from your computer. --------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Wed Aug 13 2003 - 08:11:37 PDT