TFTP Blocking

It looks like several PCs are affected. Some of them belong to traveling personnel so disinfection is difficult.

Infection is accomplished via Microsoft RPC overflow on pert 137, so we can do little to prevent it (other then enabling automatic patch downloads on desktops, which is not a NTI/R domain, anyway).  The start of payload is

 length = 50

000 : 80 B0 00 00 00 01 00 00 00 00 00 00 20 43 4B 41   ............ CKA
010 : 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41   AAAAAAAAAAAAAAAA
020 : 41 41 41 41 41 41 41 41 41 41 41 41 41 00 00 21   AAAAAAAAAAAAA..!
030 : 00 01
 

On NTI/R side I would recommend blocking TFTP on site routers from DHCP segments only (TFTP traffic "to" DHCP segments is allowed so that we can can scan them ). Doing it one site a time and proceeding slowly so that the whole change took enough time for us to understand consequences. VPN are very important source of infection here and AND VPN3 is probably the candidate No.1 for such measure. The season for this worm might not be over yet.   

Personally I do not foresee any negative effects on this blocking, but network is too complex thing to understand for a human so I might be wrong.  Also some people violate "rules of the game" like 10.194.156.39 in Rockaway and unless we provide an exemption they will be put on cold.

Anyway, in my opinion such a measure will definitely help to prevent infection of servers from desktops and thus negative effect on the unpatched Windows servers (automatic updates are rarely enabled on servers, and that's probably for a reason) of this and future infections that use TFTP as transport mechanism.

As this is a dominant mechanism for current generation of worms, that probably can to save us from the necessity to disinfect servers from such worms if not today then in the future.