Little tool to disable DCOM(135) Locator(445) and NetBIOS (137/138/139)

Discussion in 'other software & services' started by gkweb, Mar 23, 2004.

Thread Status:
Not open for further replies.
  1. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    Hi here,

    I have done a small app because i needed it, as well as friends.
    Everyone know that current worms uses Windows vulnerabilities, but these services patched are still accessible and ready to be exploited by the next exploit.
    The simpliest is to disable them, and so, even without firewalls those worms can't hurt you anymore via the Internet.

    http://perso.wanadoo.fr/jugesoftware/firewallleaktester/eng/images_site/wwdc.jpg

    http://perso.wanadoo.fr/jugesoftware/firewallleaktester/eng/wwdc.htm

    No setup, no DLL, just a tool to use to switch on/off these ports.


    It has been deeply tested on both XP and 2000, but if however you find a problem or simply have suggestion or ideas, pls post them ;)

    I hope it will be usefull for some

    :)

    EDIT :
    to see results after a reboot, type in command line :
    netstat -ano

    ports closed should not appears.
    However, DCOM even when disabled, does not close port 135 but simply stop listening on it.
     
    Last edited: Apr 14, 2004
  2. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,475
    Location:
    The Netherlands
    Kharma cookie coming your way :cool:

    regards.

    paul
     
  3. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    thanks you Paul :)
     
  4. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,934
    Location:
    SW. Oklahoma
    It does look like a pretty nifty little app. ;)
     
  5. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    thanks you :)

    and see a nasty worm which shows that these ports aren't going to not be used anymore :

    W32.HLLW.Gaobot.RS
    http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.gaobot.rs.html

    I have a friend infected by a previous Gaobot version.
     
  6. snapdragin

    snapdragin Registered Member

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Oh gkweb, this looks great!
    I already have several people in mind that could use this! :D
     
  7. Robyn

    Robyn Registered Member

    Joined:
    Feb 1, 2004
    Posts:
    1,189
    This is certainly much needed as I know people who have difficulties with these ports. One question is it advisable to use it if your firewall already has these ports stealth blocked?

    I will be adding this to my security CD of tools - thank you.
     
  8. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    Yes you can close them even if a firewall is preventing network traffic to reach them (e.g close or stealth).
    I am personally in this case, and i have closed them anyway.

    A firewall doesn't rely on the port status (which could thus be either opened or closed) but just block traffic.

    So you can safely disable them :)

    ( At worst, if you mistakenly disabled something and need it afterwards, you can enable it again with the prog)
     
  9. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    I have created a dedicated page on my website :

    http://perso.wanadoo.fr/jugesoftware/firewallleaktester/eng/wwdc.htm

    All future version (if any) will be available there.

    regards,

    gkweb.
     
  10. Robyn

    Robyn Registered Member

    Joined:
    Feb 1, 2004
    Posts:
    1,189
    Thanks for this information, I forgot to tick notify of replies and had to search for this topic again. I appreciate the advice that things can be reset if necessary; very nice screen shots to see the program in operation which really does help.
     
  11. notageek

    notageek Registered Member

    Joined:
    Jun 3, 2002
    Posts:
    1,601
    Location:
    Ohio
    Looks like a good little app. I'm going to pass it on to a few of my friends as well. Good job gkweb, keep up the good work.
     
  12. Grasshopper

    Grasshopper Registered Member

    Joined:
    Sep 30, 2002
    Posts:
    77
    Hey gkweb,

    I have used other applications to do the same thing , But it's great to have them all in one neat little package .
    Nice work and Thanks ,

    Frank
     
  13. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    thanks you ;)

    don't miss the v1.1 version on my site, just a GUI improvment.

    regards,

    gkweb.
     
  14. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    Hi gkweb :)

    Nice little app.. :D

    Question: On your site, you have a caveat re Kerio 2.1.5, so does this mean you advise NOT to run your proggy as I have Kerio2.1.5 version.

    IF I do, by "Application Fatal Error" does Kerio quit/exit and won't run? Permanently/Temporary?

    Cheers, TAS
     
  15. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    All that i can say is that Kerio displays the error message i have written on the page, so i suppose, if i believe Kerio, that the protection is off.
    So indeed i would not advise to people to disable their firewall :)
    at worst you can try it, if it bugs then you can uninstall/install it again.

    Kerio 4.x however don't have this bug.

    regards,

    gkweb.
     
  16. Oremina

    Oremina Registered Member

    Joined:
    Mar 28, 2004
    Posts:
    209
    Location:
    England
    Hi gkweb

    Does this little tool of yours do the same job as Steve Gibson's DCOMbob.exe, shootthemessenger.exe and unPnP.exe?

    Would you recommend uninstalling those before installing yours, does it matter or do you think there would be conflicts?

    :rolleyes:
     
  17. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    The first button, "disable DCOM" does the same than DCOMBobulator from Steve Gibson, so if you launch the tool, windows worms doors cleaner will tell you that DCOM is already disabled, so no conflicts for now.

    WWDC does not do that does "shootthemessenger" and "unPnP", so again no conflicts.

    The tools from Steve gibson you use disable : DCOM, messenger service, uPnP service

    WWDC from me disable : DCOM, Locator, NetBIOS.

    You can perfectly keep your others tools so ;)

    regards,

    gkweb.
     
  18. Oremina

    Oremina Registered Member

    Joined:
    Mar 28, 2004
    Posts:
    209
    Location:
    England
    Hi gkweb

    Thanks for the explanation! Have d/l'd and installed it and seems OK..

    Another little layer of security!!

    Merci beaucoup..



    :D :D
     
  19. Rainwalker

    Rainwalker Registered Member

    Joined:
    May 18, 2003
    Posts:
    2,712
    Location:
    USA
    I have Steve's tools but i thought i would drop in yours anyway and it told me RPC was not disabled :eek: this surprised me....... so thank you gkweb :)
    cookie for you ;)
     
  20. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    Often Windows updates enable services again without telling you, so you can have perfectly disabled it in the past, and an update will have enable it afterwards.

    I have seen that too, don't remember if it was after a windows update thought.
    (currently both Steve's tool and mine agree that DCOM is disable on my comp).

    Always keep on eye on those services after updates :)

    thanks for the cookie ;)

    regards,

    gkweb.
     
  21. Rainwalker

    Rainwalker Registered Member

    Joined:
    May 18, 2003
    Posts:
    2,712
    Location:
    USA
  22. Khaine

    Khaine Registered Member

    Joined:
    Oct 2, 2002
    Posts:
    127
    thanks gkweb :)

    What method does your program use to disable the ports, as their are several different ways of doing this
     
  23. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    All the methods which exists end always to the same, a registry modification, so i do directly that.

    regards,

    gkweb.
     
  24. eyespy

    eyespy Registered Member

    Joined:
    Feb 20, 2002
    Posts:
    490
    Location:
    Oh Canada !!
    GK,
    nice work. Great little proggy. Now if only I could get my FW to pass all those Darn Leak Tests :rolleyes:
    Kudos to ya' my man!!

    Regards,
    bill :)
     
  25. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    Thanks you Bill ;)

    in the new 1.2 version you can do more, all is explained in the changelog
    (still nothing to do with leaktests, sorry ;))


    Happy you like it :)

    regards,

    gkweb.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.