I'm jsut going off what I've been told and how we're tracking it. Basically think of a tree.
At the trunk is going to be the genuity switch that was hacked.
That person got admin access to the switch and started a remote call install on everything DIRECTLY connected to that particular switch.
**********
Because of the way remote admin works in most switches and hubs, if a switch get's a remote call, it passes it along to everything that's directly connected to IT.
So now we've gone from the trunk to all the main limbs.
The cycle continues basically indefinately, except that at some point, the worm started going "upwards" above the original switch at some point. (how it got to the rest of the internet)
Since the original infected switch is located in an undisclosed part of california (I know where, but aint saying, it's a major city that's having an insane amount of problems though)
Most of that area of california had what we term and outtage. (allthough this isn't like a blackout, or complete outtage)
**********
Closing 135 might work, but really from what I read on that guys site, I don't see how its going to get you from being hacked more than once.
From my basic understanding of routers, switches and hubs, They can send the calls out all ports. I've seen them on others and allthough 135 is the default RPC port; windows will answer the call on any port so long as its addressed with the admin information.
(think not of the admin on the computer or router. think the network components are compeltely stupid, and someone waaaay down the line said, "Hey! My admin told everyone to jump off a bridge". Then everyone told everyone around them to jump off the bridge, while they're jumping off theirselves.
What makes this so ingenious is that it dosen't amtter WHO'S admin access it is, because all windows realizes is someone, somewhere said it had admin acces and to do this.
It's not like Windows NT has ever been smart enough to verrify who the admin is