Re:

[Gary Flynn <flynngn () jmu edu>]

H C wrote:
> I did some testing...and after reading this thread and
> seeing the DirectAdvertisers.com site, I decided to
> right up some code and see what happened (the code is
> below).  I tested this on a network...and it worked
> just fine.

I think some of the stuff is coming in on the MS-RPC
port - 135. We have all netbios over tcp ports blocked
and we still see the spam.

Here is a good write-up that also contains a link to
good info about RPC and windows services:

http://www.mynetwatchman.com/kb/security/articles/popupspam/
http://www.hsc.fr/ressources/breves/min_srv_res_win.en.html

-- 
Gary Flynn
Security Engineer - Technical Services
James Madison University

Please R.U.N.S.A.F.E.
http://www.jmu.edu/computing/runsafe

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com