I've been watching the behaviour of this beast (worm) across numerous boxes in various locations. It seems the worm attempts to scan withing the network - i.e. class C - then it tries class B, and last of all class A. So the attack methodology is if the worm is on and ip number like A.B.C.D, then it will scan all of A.B.C/24 before it moves on up the ip tree. When it exaust all possibilities it then shifts either up or down the IP tree. So once it does all of a class A eg. A.X.X.X it then moves on to A+1.X.X.X and proceeds scannig all of the neighbouring class A. It also does not seem to be too bright. It's attack pattern is very odd. It will ask about 16 - 18 questions via port 80. But in some cases it asks those same questions over and over again to the same host - i've recorded one server asking the same 16 questions 13 times for a total of 208 queries on port 80. I'd be interested to know if others are also noticing these patterns. regards joe -- Joe Baptista http://www.dot-god.com/ The dot.GOD Registry, Limited The Executive Plaza, Suite 908 150 West 51st Street Tel: 1 (208) 330-4173 Manhattan Island NYC 10019 USA Fax: 1 (208) 293-9773 --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog