DCOM Exploit attack

[kgrimwood]

Hi,

I'm on a halls network and ever since i plugged it in there I get constant messages from the network shield, saying i'm getting a DCOM exploit attack.  It also displays an IP address. I'm now getting messages every 2 minutes about viruses in the windows/temp folder and my computer is almost completely unusable, despite scanning for viruses regularly. (It usually finds about 10 new viruses everyday!!!) I have asked the staff in my halls about them and they said it was nothing to do with them (they even told me to turn the virus scanner off so I don't get the messages anymore!!) What can I do?  Thanks!

[Lisandro]

I'm getting a DCOM exploit attack.

Which firewall are you using?

Network Shield is a protection against known Internet worms/attacks. It analyses all network traffic and scans it for malicious contents. It can be also taken as a lightweight firewall (or more precisely, an IDS (Intrusion Detection System). Network Shield protects you from internet worms that spread themselves via various security holes in your system. Typicaly these kind of viruses don't infect files but instead  they attack running processes on your PC (either Windows components or some server programs like SQL Server, IIS etc.). These kind of attacks are not easily catched by ordinary antivirus during file or mail scanning. It is not a duplicate work with Standard Shield.

Messages like:
Network Shield: blocked "DCOM Exploit" - attack from 81.178.115.162:135/tcp
are due to the RPC/DCOM exploit, which is a vulnerability that allows an attacker to gain access to the destination machine by sending a malformed packet to the DCOM service. It uses the RPC TCP port 135.

[mantra]

kgrimwood

are u sure?

[kgrimwood]

Am I sure about what???

I'm using xp firewall, and I also had Kerio up til a few days ago until it expired but it didn't seem to do anything anyway.

Is this likely to be a problem with my halls network, or my computer?

[Lisandro]

kgrimwood, avast is warning you that you're under attack.
You can disable the warnings into the NetShield settings (left click the 'a' blue icon, go to it and choose Customize. Uncheck the warnings option).
Most probably, your Kerio firewall has the same logs or reports for these attacks...

[kgrimwood]

Ok, so what do I do about it? I know nothing about this, sorry!

[Lisandro]

Ok, so what do I do about it? I know nothing about this, sorry!

1. Use Windows Update and take all patches (SP2 for sure).
2. Download DCOMbobulator and disable DCOM service. Boot.
3. Update and enable your firewall. Get a free one if you won't renew Kerio subscription.
4. You can disable the warnings into the NetShield settings (left click the 'a' blue icon, go to it and choose Customize. Uncheck the warnings option).

[Umath]

Was Kerio expired?  Kerio’s trial period is 30 days but I think it only becomes a limited free edition with fewer options after the period .  It seems that it was working so why not continue using it?

[Lisandro]

Was Kerio expired?  Kerio’s trial period is 30 days but I think it only becomes a limited free edition with fewer options after the period .  It seems that it was working so why not continue using it?

Yeah, you're right. I did not say to change Kerio... only if the user had the paid version and does not want to renew it.
I've said: Update and enable your firewall 

[FreewheelinFrank]

DCOM exploit warnings can also be gernerated when a worm is ON the computer, not just from external attack.

Do an avast boot time scan, and also double check with:

TDS-3 (Download the definitions file and move to the program folder.)

http://tds.diamondcs.com.au/

and TrojanHunter

http://www.trojanhunter.com/