From: "Geo." 

"Mike N."  wrote in message
news:1lhh90tqvoc7vb46jb0mmucho20ue8dr93{at}4ax.com...

>   I did a double take at who wrote the message.  You BLOCKED something?
> What about requests from port > 1024 which happens to be 5554?   How does
> blocking 5554 stop spreading - no Microsoft services use that port?
> Shouldn't you be blocking 445 instead?

Yes, this was for survival though, we doubled our normal support staff and
still could not keep up with all the calls about infected machines. This
way we still got the calls but the machines didn't get infected so fixing
it was easier. We'll remove the block in about a month once we get caught
up on support calls .

Blocking 445 was definitely out but since the worm used 5554 for the ftp
transfer without which it could not infect a machine and since we don't
have a whole lot of customers running exploitable IRIX support partner
subsystem over the net I figured we could get away with it for a couple
weeks.

Geo. (we only blocked it at the backbones, customers can still infect each
other across most segments of our network)

--- BBBS/NT v4.01 Flag-5