See also the following threads: RPC DCOM Exploit - Widespread use... http://www.wilderssecurity.com/showthread.php?t=11991 Outbreaks of RPC vulnerable systems http://www.wilderssecurity.com/showthread.php?t=12324 [hr] From TrendMicro: Dear Trend Micro customer, TrendLabs has received several infection reports of this new worm named WORM_MSBLAST.A which exploits the RPC DCOM BUFFER OVERFLOW, a vulnerability in a Windows Distributed Component Object Model (DCOM) Remote Procedure Call (RPC) interface which allows an attacker to gain full access and execute any code on a target machine, leaving it compromised. This worm has been observed to continuously scan and send data to vulnerable systems in the network using port 135. When the system date is August 15, it performs a Distributed Denial Of Service attack against windowsupdate.com. As of 1:54 PM, US Pacific Time, Trend has declared a yellow alert to control the spread of this malware. TrendLabs HQ will be releasing the following EPS deliverables within the next few minutes: - Official Pattern Release 604 - TMCM Outbreak Prevention Policy 43 - Damage Cleanup Template 143 --snip-- For more information on WORM_MSBLAST.A, please visit our Web site at: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MSBLAST.A [hr] From Sophos: W32/Blaster-A Aliases : W32/Lovsan.worm, W32.Blaster.Worm, WORM_MSBLAST.A Type : Win32 worm Description W32/Blaster-A is a worm that scans networks looking for computers vulnerable to Microsoft's DCOM RPC security exploit. On finding a suitable victim, the worm causes the remote machine to acquire a copy of the worm using TFTP. Additionally the worm creates the following registry entry so as to run on system start: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\windows auto update After August 15 the worm will launch a distributed denial-of-service attack on windowsupdate.com Microsoft has issued a patch for the vulnerability exploited by this Trojan. The patch is available from http://www.microsoft.com/technet/security/bulletin/MS03-026.asp. http://www.sophos.com/virusinfo/analyses/w32blastera.html