Gotta love Windows.
Here's
Symantec's writeup on the second (msmsgri32.exe) worm, for anyone else reading. They call it W32.Randex.D, with an associated Backdoor.Roxy or Backdoor.Trojan. (W32/Slanper.worm [McAfee], W32/Slanper-A [Sophos], Worm.Win32.Randex.d [KAV])...
...Since it spreads by testing victim machines' accounts for weak passwords, one could imagine it might be heavy on outgoing traffic. Via
Sophos's writeup and a little bit of knowledge, the NetUserEnum() function mentioned is part of the old Lan Manager function set, running over SMB on port 445 (TCP? UDP?). I have no idea which services would need disabling to block it without firewalling, but maybe someone else does.
Symantec's removal instructions for Randex seem to take out the backdoor at the same time, but there is a separate page for the Roxy aspect itself.
---
Back on the original thread, names for the RPC worm du-jour seem to be settling out to "Blaster," "MSBlast," or "Lovsan," if you need words to Google for.
The original SANS article has been updated with some links, cleaning utilities, etc. In fact, may as well put the
Symantec Blaster removal tool in a nice bold link for anyone still suffering.