Salutations:
Yeah - everyone is seeing that from their mobile staff.. The worm attaches silently then runs it's range based on DHCP settings found on the infected machine (i.e.: 123.123.123.000 - through 999) - then activates later.. The sales staffer booting is actually not a threat NOW as his/her machine is booting instead of silently torpedoing targets around the LAN..
You would be well advised to bring all your machines in - patch them and run a complete system scan on them all given you are an ISP.. Moreover - if you are running VPN - you will also need to get everyone who logs in to do the same on their home machines..
The problem is that it is svchost based worm and thusly it has free range around all network ports regardless of settings on any individual machine.. It morphs and while port 135 is main entry point - once it's in the works - not the only one and it probes out on all.
I think we can safely expect several variations on this theme in the coming months as well given that even if everyone patchs the buffer overflow exploit at the heart of this problem - the problem of open dynamic RPC services on W32 systems will have now caught the attention of the brighter crackers out there..
I would suggest you are going to have to spend some time on the 'wetware' end at your shop.. and sadly - the patch load will very probably start their own much less fatal system error messages depending on how your farm is set up..
I've worked my thin server prototype here so I don't need a firewall - but I'm still looking for a native W2K OS control point that would allow me to close or redirect the ports without loading up the CPU with a software firewall and supporting transactions..
W32 allows you to control outbound ports directly - I'm not sure why they haven't provided the facility to control inbound natively in the network config.. Perhaps they have - and I can't find it outlined in such a way that it leaves the system stable..
I am concerned that the overhead dealing with a really solid worm breach on RPC port(s) could well trigger an effective DoS on the CPU/LAN if the worm really gets a foothold inside.. Which this one could well be able to do in short order given that a lot of places locked down at SP3 some time ago given the weirdness surrounding IE6 and SP4..
I don't know who put this one out - but hats off - they should have called it: "Dottie - a vicious life sucking b**ch from which there is no escape" - like from the movie Armageddon.. :/ ..
.. CNN is reporting no e-mail based versions - I think they are wrong - it should read: "no e-mail based versions - as yet".. I just got a 550 security alert from my mailserver here running Norton..
.. standing by for the obligatory linux vs W2K flaming.. :) ..