This is the Nimda virus. If you compare the system footprints of Sadmind, Code Red, and Nimda, then you will see that Sadmind and Nimda use this exploit. The only different I see is Nimda uses "%5c" sometimes. Cert Advisory on sadmind: http://www.cert.org/advisories/CA-2001-11.html Cert Advisory on Code Red http://www.cert.org/advisories/CA-2001-19.html Cert Advisory on Nimda http://www.cert.org/advisories/CA-2001-26.html Note that Nimda is Admin spelled backwards... :) Ezra Freelove Home: http://www.valdosta.edu/~esfreelo/ Blog: http://sneezypb.pitas.com/ -----Original Message----- [mailto:thelist-admin at lists.evolt.org]On Behalf Of Fortune Elkins Subject: [thelist] domain under attack?? /scripts/..%5c../winnt/system32/cmd.exe [Referrers] 993 _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com