Are other people having problems with this right now? There doesn't seem to be very much traffic or information about this on any of the security lists (it is Sunday...). The last posted URL points to an impending storm...
Other operators opinions about blocking port 445 before this thing starts spreading faster than it already is?
IMHO, this is similar in impact to Opaserv. As an ISP, I would probably block 445 just to avoid having lots of people call Monday morning complaining about slow connections after they got infected. This worm is unlikely to cause major 'global' network slowdowns, so filtering further upstream probably makes not too much sense. The main 'facts' so far: - this virus does attempt to exploit weak passwords, not just open / no password shares - there are some reports that this worm has a VNC or IRC backdoor component, which opens the infected machines to future exploits. - port 445 has gotten a lot of attention from the malware community recently. So there are likely further exploits in the works.
-- -------------------------------------------------------------------- jullrich@euclidian.com Collaborative Intrusion Detection join http://www.dshield.org