This thing is hitting hard! I got bored and thought I'd through some stats/info together... So far, since 9:16am on 7/19, I've seen 485 CRv1 attacks from 257 unique IPs on my cable modem. Since 6:49am today, I've been hit 472 times from 133 unique IPs with this new "CRv2" worm. - All infected systems seem to try each scanned IP twice whereas the original only tried once, which probably will help its infection rate. Seems odd though as both tries use the same source port. Could just be my snort rules... - It has the word "CodeRedII" hard coded in the packet, so its obviously a copycat or at least a fairly recent revision. - *Appears* to be hardcoded to use the d:\inetpub\scripts and d:\progra~1 \common~1\system\MSADC directories. Assuming you are not using this path, are you still vulnerable? - Either copies cmd.exe or creates a new file named root.exe in those directories. - I'm seeing almost only cable modem systems now. Appears businesses may have finally gotten their acts together. chris