Tom, may I cite NAI on this: ==================== This worm spreads by exploiting a recent vulnerability in Microsoft Windows. The worm scans the local class C subnet, or other random subnets, on port 135. Discovered systems are targeted. Exploit code is sent to those systems, instructing them to download and execute the file MSBLAST.EXE from a remote system via TFTP. The worm contains a payload to initiate a Denial of Service attack against windowsupdate.com after August 16. The worm only checks the local system date upon execution. If an infected system is left on and the date rolls over to Aug 16, the payload will not kick off until the system is restarted. This payload involves sending 20 bytes SYN packets to windowsupdate.com on TCP port 80 for the purpose of preventing users from patching their systems via Windows Update. The source IP address is spoofed on each packet, using a random local CLASS B IP. [...] However, unless the system has been (MS03-026) patched, it is susceptible to the buffer overflow attack from an infected host machine. An infected machine (running msblast.exe) will send out malformed packets across the local subnet to the RPC service running on port 135. When these packets are received by any unpatched system, it will create a buffer overflow and crash the RPC service on that system. All this can occur without the worm actually being on the machine. This means that the remote shell will still get created on TCP port 4444, and the system may unexpectedly crash upon receiving malformed exploit code. ==================== I agree that imho the only way for the worm to get into a secured network would be by physically moving an infected machine into it. Of course there's always a chance that some machine has its own internet access for whatever reasons (maybe online banking) and gets infected that way. When the exploit was being discussed the first time, I said I was pretty sure that my setups would be safe, and you know what - they still are thanks to ISA and a proper configuration. By now I have the machines patched, so everything's at ease :) Mark