DCOM Exploit attack - What's this???

Viruses and worms
1

I have avast! 4.7 Home Edition, and today I have configured the options. After a while it showed a message about a so called “DCOM Exploit attack”… What does this mean?
Here’s the log I have since then:

27.07.2006 23:32:47 DCOM Exploit attack
from 81.84.226.17:135
27.07.2006 23:33:22 DCOM Exploit attack
from 81.84.170.94:135
27.07.2006 23:44:52 DCOM Exploit attack
from 81.68.202.14:135
28.07.2006 00:02:55 DCOM Exploit attack
from 81.84.226.17:135
28.07.2006 00:12:22 DCOM Exploit attack
from 81.84.55.112:135

2

An indication that you either don’t have a firewall, it is disabled or it isn’t protecting you from these attacks, do you have a firewall if so what ?
Usually your firewall would block these attempts to gain access to your system.

The Network Shield monitors common attack points:

Network Shield provider protects your computer from Internet worm attacks. It works similarly to a firewall, even though it does not fully substitutes it. The Network Shield does not require any user interaction.

Even though you might not be vulnerable to this kind of exploit (long ago patched by MS), it doesn’t stop people (or their infected systems) from trying to infect others.

You have nothing to worry about (other than the firewall issue I mentioned) as the Network Shield has blocked the attack and nothing has got on to your system.

3

Besides what David said, about you don’t have a firewall, maybe your Windows is not updated too… :-\

Network Shield is a protection against known Internet worms/attacks. It analyses all network traffic and scans it for malicious contents. It can be also taken as a lightweight firewall (or more precisely, an IDS (Intrusion Detection System). Messages like:
Network Shield: blocked “DCOM Exploit” - attack from 81.178.115.162:135/tcp
are due to the RPC/DCOM exploit, which is a vulnerability that allows an attacker to gain access to the destination machine by sending a malformed packet to the DCOM service.

4

if you haven’t already you might want to run DCOMbobulator from here: http://www.grc.com/freeware/dcom.htm .

Just to be on the safe side.

5

First, check online with a “whois” site if this is IP comes from your internet provider (it usually does).
Then use this “Windows Worms Doors Cleaner” http://www.firewallleaktester.com/wwdc.htm

6

Whilst the IP address would appear to belong to Pipex, since it is an ISP the likelihood is that it is one of their customers systems that is infected trying to infect others. It would be unlikely that and ISP would be trying to connect to your system in this way.