Hi here,

I have done a small app because i needed it, as well as friends.
Everyone know that current worms uses Windows vulnerabilities, but these services patched are still accessible and ready to be exploited by the next exploit.
The simpliest is to disable them, and so, even without firewalls those worms can't hurt you anymore via the Internet.

http://perso.wanadoo.fr/jugesoftware/firewallleaktester/eng/images_site/wwdc.jpg

http://perso.wanadoo.fr/jugesoftware/firewallleaktester/eng/wwdc.htm

No setup, no DLL, just a tool to use to switch on/off these ports.


It has been deeply tested on both XP and 2000, but if however you find a problem or simply have suggestion or ideas, pls post them ;)

I hope it will be usefull for some

:)

EDIT :
to see results after a reboot, type in command line :
netstat -ano

ports closed should not appears.
However, DCOM even when disabled, does not close port 135 but simply stop listening on it.

Kharma cookie coming your way 8)

regards.

paul

thanks you Paul :)

It does look like a pretty nifty little app. ;)

thanks you :)

and see a nasty worm which shows that these ports aren't going to not be used anymore :

W32.HLLW.Gaobot.RS
-{ Quote: "
* The DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135.
* The RPC locator vulnerability (described in Microsoft Security Bulletin MS03-001) using TCP port 445.
* The WebDav vulnerability (described in Microsoft Security Bulletin MS03-007) using TCP port 80.
* The Workstation service buffer overrun vulnerability (described in Microsoft Security Bulletin MS03-049) using TCP port 445.
" }-

http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.gaobot.rs.html

I have a friend infected by a previous Gaobot version.

Oh gkweb, this looks great!
I already have several people in mind that could use this! ;D

This is certainly much needed as I know people who have difficulties with these ports. One question is it advisable to use it if your firewall already has these ports stealth blocked?

I will be adding this to my security CD of tools - thank you.

Yes you can close them even if a firewall is preventing network traffic to reach them (e.g close or stealth).
I am personally in this case, and i have closed them anyway.

A firewall doesn't rely on the port status (which could thus be either opened or closed) but just block traffic.

So you can safely disable them :)

( At worst, if you mistakenly disabled something and need it afterwards, you can enable it again with the prog)

I have created a dedicated page on my website :

http://perso.wanadoo.fr/jugesoftware/firewallleaktester/eng/wwdc.htm

All future version (if any) will be available there.

regards,

gkweb.

Thanks for this information, I forgot to tick notify of replies and had to search for this topic again. I appreciate the advice that things can be reset if necessary; very nice screen shots to see the program in operation which really does help.

Looks like a good little app. I'm going to pass it on to a few of my friends as well. Good job gkweb, keep up the good work.

Hey gkweb,

I have used other applications to do the same thing , But it's great to have them all in one neat little package .
Nice work and Thanks ,

Frank

thanks you ;)

don't miss the v1.1 version on my site, just a GUI improvment.

regards,

gkweb.

Hi gkweb :)

Nice little app.. ;D

Question: On your site, you have a caveat re Kerio 2.1.5, so does this mean you advise NOT to run your proggy as I have Kerio2.1.5 version.

IF I do, by "Application Fatal Error" does Kerio quit/exit and won't run? Permanently/Temporary?

Cheers, TAS

All that i can say is that Kerio displays the error message i have written on the page, so i suppose, if i believe Kerio, that the protection is off.
So indeed i would not advise to people to disable their firewall :)
at worst you can try it, if it bugs then you can uninstall/install it again.

Kerio 4.x however don't have this bug.

regards,

gkweb.

Hi gkweb

Does this little tool of yours do the same job as Steve Gibson's DCOMbob.exe, shootthemessenger.exe and unPnP.exe?

Would you recommend uninstalling those before installing yours, does it matter or do you think there would be conflicts?

::)

The first button, "disable DCOM" does the same than DCOMBobulator from Steve Gibson, so if you launch the tool, windows worms doors cleaner will tell you that DCOM is already disabled, so no conflicts for now.

WWDC does not do that does "shootthemessenger" and "unPnP", so again no conflicts.

The tools from Steve gibson you use disable : DCOM, messenger service, uPnP service

WWDC from me disable : DCOM, Locator, NetBIOS.

You can perfectly keep your others tools so ;)

regards,

gkweb.

Hi gkweb

Thanks for the explanation! Have d/l'd and installed it and seems OK..

Another little layer of security!!

Merci beaucoup..



;D ;D

I have Steve's tools but i thought i would drop in yours anyway and it told me RPC was not disabled :o this surprised me....... so thank you gkweb :)
cookie for you ;)

-{ Quote: "
and it told me RPC was not disabled :o
" }-

Often Windows updates enable services again without telling you, so you can have perfectly disabled it in the past, and an update will have enable it afterwards.

I have seen that too, don't remember if it was after a windows update thought.
(currently both Steve's tool and mine agree that DCOM is disable on my comp).

Always keep on eye on those services after updates :)

thanks for the cookie ;)

regards,

gkweb.

8)

thanks gkweb :)

What method does your program use to disable the ports, as their are several different ways of doing this

All the methods which exists end always to the same, a registry modification, so i do directly that.

regards,

gkweb.

GK,
nice work. Great little proggy. Now if only I could get my FW to pass all those Darn Leak Tests ::)
Kudos to ya' my man!!

Regards,
bill :)

Thanks you Bill ;)

in the new 1.2 version you can do more, all is explained in the changelog
(still nothing to do with leaktests, sorry ;))


Happy you like it :)

regards,

gkweb.

Paul,
maybe a good addition to the "Free Tools" section!

Regards,
bill :)

gkweb, great little utility! Nice and tidy at 54kb too - the joys of having complete control over the source code at assembly level. :)

Cheers,
Wayne

Thanks you Wayne ;)

OMG, you have looked at it in assembly, you should have seen the hidden text "i don't like Wayne because i know he will look my prog in ASM" ;D

j/k of course ;)

Great job GK :) Works fine in Server 2003 as well

thanks you :)

A question to users of the tool : i have had users experience saying me that wwdc was saying for instance that RPC locator was enabled on their system whereas the port 445 was closed, this is due because NetBIOS was disabled on their system, and since Locator depends on it, it wasn't started.
However, as soon as these people will enable NetBIOS again, RPC Locator will be enabled (port 445 opened) because it wasn't disabled in the registry.

So there is two possibility :
- like now, the tool says it's enable unless explicitly disabled in the registry
- check at start opened ports, and don't check the registry if the port is closed (so says "service X disabled" instead of "enabled").

What do you think about it ?

Hi "~GUyz~",
Very Nice Proggie! Thankx for the link. Here is one that I have used, it doesn't block the ports but it shuts the DCOM service off. Its called "Safe-XP" but it will work for other Windoze O/S'es. It also gives You access to some other features. You don't have to install it, it doesn't make any registry changes, and it doesn't create any dll's.
You can read about and download it here. "Click Here" (http://www.theorica.tk/)
Best Wishes,
"~JaK~" =:-)

-{ Quote: "gkweb, great little utility! Nice and tidy at 54kb too - the joys of having complete control over the source code at assembly level. :)

Cheers,
Wayne" }-

oups i think i didn't understand well the first time :-/

if you mean that you think i have done it in assembler, you are not right, i still use my lovely purebasic ;)

(the executable is packed with UPX, his original size is more like 140Ko, which is still very small for the amount of code behind).

Hi gkweb,

Just noticed this thread yesterday (apr.26)

Thanks for the great proggy! :D It has a wonderful home on my box ... right in between Steve's 3 muskteers and Safe XP.

Where would I be without all of you?

Thanks much! ;)

Dog - *puppy*

from your latest 1.3 upgrade do you now do the same as Steve Gibson's tool?

Steve Gibson has done many tools, about which you are talking ?

Nevertheless, yes, it disables critical windows services that Gibson's tools offer to disable, such as UPNP, DCOM RPC, and Messenger.

I don't want to be a Steve Gibson competitor, i just wanted to have "all in one" tool easy to use :)

regards,

gkweb.