Thanks I have captured both CodeRed I II variants using my packet analyser and the commonality accross all IP's that have sent both variations of the worm probe is the Win Value of 17520... It seemed strange to me that both variants are generating the same Win Value despite carrying significantly different payloads... Each probe is actually ~13 packets 7 are inbound and only one is shown in the Web Logs.. yet I received over 13,000 probes from different IP addresses (unless the client address is spoofed) which is possible. Is 17520 a common value ? Does the OS set this or the program ? Best regards Michael Sutton www.awacs.co.nz --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog