OK. This thing must be spreading like mad! We're taking several attempts per second. It might be a good idea to implement filtering on the borders for TCP SYN from 0/0 to 0/0 port 7597. That way, at least it can't be used once it's installed. I realize it is unrealistic to block 0/0 to 0/0 port 139 on the borders without breaking tons of winblows customers. It sure would be nice though. Especially considering the scope of things and how fast it's spreading. I believe we've seen this thing on a "test run" in the past few weeks. It took out a fairly good sized regional provider four days in a row. I'm talking DOWN HARD border to border. All indications are that the controlling party turned the infected machines into kamakazis and had them ping smurf amps. Since the resulting flood of ICMP echo-reply traffic was targeted at machines all over this providers network on customer pipes ranging from 64K to 155M, it was nearly impossible to diagnose. One minute, everything was fine. Next minute, nothing. It was just dead. Anyone else have any thoughts on damage control here? --- John Fraizer EnterZone, Inc