Beware: There is a new, but much more invasive code red type attack in progress NOW. Check your web servers. Details sketchy, but characteristics below. Adrian Cooper. This worm does the following: 1) Port scans IP addresses looking for open port 80 (web servers). Upon finding a web server, it makes 16 different attempts to gain control, basically using every major exploit in the book. If it gains control, it infects that web server. 2) Upon infecting a webserver, it creats an open C drive share, and then attempts to spread via network shares. 3) It creates the above named file, and modifies the infected web server's pages (html & asp) pages to download the virus to folks viewing that web page. So, anyone accessing an infected server will be presented with a popup to download or open the file. There is a rumor that the e m l version will not present the popup, it will automatically download and open in IE5. 4) Infected users computers will join in on the DDOS portscan/attack 5) Infected users computers will also spread via the normal Outlook e-Mail addressbook methods. Symantec has rated the threat level as a 4, SEVERE http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
