Did I ask for it
Well tedob, you did ask if there was a tweaked version of this exploit.
There is a universal exploit that uses ExitThread instead of ExitCrash so it will not crash anything just give you a remote shell.
There is also no need to know what version the remote system is running (SP1, 2, etc)
I am not putting links here because I dont want to give it away to the so called skids (even though they will find it there selves)
It is a big security risk and I tried it on a couple of machines I was authorized to.
What frieghtens me more is that there are allready reports of a so called auto rooter in the wild and even though it will not spread at the speed of slammer I think we will be in for it later this week considering how many people are not able to patch there systems.

It is a UNIVERSAL exploit so it will affect ALL vulnarable MS systems unlike CODE RED for example.

There is also some rumours that besides the allready known ports the ports 1025-1030 are also vulnarable. I have not been able to verify this as for now. And someone mentioned that the patch does not 'patch' the vulnarability on some systems completly. The patched machine will still remain vulnarable for DoS.
The universal exploit I am talking about includes something like 48 targets (different languages) and makes them into two universal targets (Win2k /WinXP).

And for the answer you (tedob) provided in the 'how do I know if I am being hacked' thread' regarding the shutdown dialog box.
it does sound like someone tryed the rpc exploit. the successful ones dont pop-up a msg they just open a reverse shell. put in a firewall so the rpc ports arent exposed and keep current up on your patches
The shutdown box appeared on the original exploit. It means they got in, did what they did and closed the shell they made (invoking the ExitCrash) afaik
I also ran it on an XP machine (Pro) that was up to date except for
the latest patch for RPC and it worked perfect. Telnet to port 4444
and had a shell, then as soon as I typed "exit" the host shutdown and
rebooted.

Stu
http://lists.jammed.com/incidents/2003/07/0284.html

Just to let you know.