DCOM Exploit and LSASS blocks

Hello,

In the Avast Home version- is there a way to schedule a boot time scan - or is that only the Pro version?

Right now I am running XP Pro and Avast is always popping up a DCOM exploit was blocked from an IP the first two octets are the same with the last two alway varying, from port 135

eg. 34.130.65.12:135, then 34.130.121.44:135, 34.130.1.99:135 like that.

Them I get LSASS blocks. I have run the scanner over and over. It says they are blocked - but my firewall makes not mention of them (Kerio).

Suggestions?

Thanks,

Tmuld.

It’s available both Home and Pro versions for NT systems (2k and XP).

Messages like: Network Shield: blocked “DCOM Exploit” - attack from 81.178.115.162:135/tcp
are due to the RPC/DCOM exploit, which is a vulnerability that allows an attacker to gain access to the destination machine by sending a malformed packet to the DCOM service. It uses the RPC TCP port 135.

It’s because our avast driver, which filters network packets, is loaded before kerio drivers and when if such suspicious packet was detected, we drop the packet and it won’t be sent to the system (and to the kerio driver).

Hi tmuldoon,

If you want to get rid of DCOM Exploit, this may be a useful page : DCOMbobulator.

hi,
i have an avast 4.5 home edition.i too have a similar problem to tmuldoom.i get a scanner message of “DCOM EXPLOIT 192.168.6.2:135/TCP”.I tried the dcombulator web site.but after disabling the dcom also i get the same scanner messages.is there any permanent solution too this problem.since the avast scanner is able to detect the suspicious packets,is there no risk of somebody hacking the computer.
please help me out.
amna

Hi

Few things to protect you from exploit attacks…

Use a firewall, either windows firewall or 3rd party firewall.

Update your OS.

These packets are not blocked by some firewalls: I had Norton 2002 on my system, and it did not block them. Now I have Kerio and it does. (Edit: I may be mistaken about Kerio blocking them: see below.) But there is another possibility you should rule out:

THIS MESSAGE CAN ALSO BE GENERATED BY A WORM ALREADY ON YOUR COMPUTER. If the worm is known to Avast!, a normal scan should discover it in memory. A boot time scan will be essential to remove it.

Edit: This is likely if you have been connected to the internet at some time without a firewall, anti-virus and the latest Windows updates and patches.

If Avast! fails to find a worm and this message continues after the scan, try the specialist Trojan/worm removal tool here:

http://tds.diamondcs.com.au/

Download definitions separately and copy to the TDS3 file.

If both programs fail to find a worm, your internet connection is behaving normally (ie no problems and no suspicious traffic showing on Kerio), and no suspicious processes are running (use process explorer) it’s probably an external attack.

Edit: I’ve just read pk’s response more carefully. I thought Kerio was perhaps blocking this exploit on my computer using its intrusion detection feature, but if the Avast! driver is loaded before the Kerio driver, why doesn’t Avast! report these exploits anymore? (Show warning messages is on.)

The latest version of avast is 4.6.652, so I suggest that you do a manual program update.

Decombulator doesn’t remove the exploit (just disables the DCOM service) only keeping your OS up to date will do that.

i get a scanner message of "DCOM EXPLOIT 192.168.6.2:135/TCP"
This is from a local network port so it would appear that something on your network is trying to get out, check your firewall logs to identify what is using TCP port 135.