From: "Geo." 


"Frank Haber"  wrote in message
news:46264038$1{at}w3.nls.net...
> This one?  (Copied from your FD scraping group below, and THANKS again for


nope, this one

http://isc.sans.org/diary.html?storyid=2643

don't bother with the mcafee link, it's got bad info. The worm is spreading
via the MS DNS RPC exploit and also via file shares once it gets inside a
network. Not sure how the file share part is allowing it to spread but I
have confirmed that if it gets in then it will spread to other W2K machines
that are not running dns.

We have one downstream ISP who has been chasing this thing around all day.
They have about 9 infected machines now.

cure for the worm

once you clean the machine use regedit and go to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters
create a new entry: RpcProtocol (reg-dword) and set it equal to 4 then reboot.

This turns off RPC for dns, it breaks the dns manager application so that
it can't connect from one machine to another but it will keep the box from
getting re-infected again until MS comes out with a patch.

Geo. (it probably breaks active directory as well but that should not be an
issue for external exposed dns servers)

--- BBBS/NT v4.01 Flag-5