Heh, as Nat maybe saw the worm doesn't always request ?/c+dir, so until I can figure out a better way to identify it we'll have to go with cmd.exe|root.exe so my httpd.conf is now: <Location /default.ida> SetHandler perl-script PerlHandler Apache::MSIISProbes PerlSetVar worm_name CodeRed </Location> <LocationMatch (cmd.exe|root.exe)> SetHandler perl-script PerlHandler Apache::MSIISProbes PerlSetVar worm_name Nimda </LocationMatch> ~~~~~~~~~~~ Nick Tonkin
- [OT] Re: Nimda worm Nick Tonkin
- [OT] Re: Nimda worm Dan Rench