According to a recent post on bugtraq the worm is going to switch from infecting webservers to DDOS'ing whitehouse.gov in about 1/2 an hour or so. Now i'm not certain if the worm has a hardcoded ip to attack or will do a DNS lookup for whitehouse.gov, but if it is going to do a dns lookup then they've still got a chance to change the A records in their dns records to something else, like 127.0.0.1. Unfortunatly this will make it hard for people to track down and fix infected boxes, so if they could use an ip in a non-routable block, that's unlickley to be used for anything else, e.g. 192.0.2.1, which in on the 'TEST-NET', or possible on 192.0.0.1, which is on the range HP use for printer auto configuration (they only use 192.0.0.192). The TTL on the A RR for whitehouse.gov is 24 hours unfortunatly. :-( -- Internet Vision Internet Consultancy Tel: 020 7589 4500 60 Albert Court & Web development Fax: 020 7589 4522 Prince Consort Road vision@ivision.co.uk London SW7 2BE http://www.ivision.co.uk/