Hey Steve - Steve Cook wrote: > Hi Dan! > > If one has that file, does it mean that the server *has* been infected by a > worm, or is it that the file is a security loophole? root.exe is a by-product of the code red series, so its presence suggests that your server *was* infected at one time. http://www.symantec.com/avcenter/venc/data/codered.v3.html 2/3 of the way down http://vil.mcafee.com/dispVirus.asp?virus_k=99177& half way down > I ask because root.exe is on our Win 2000 server, but as that is sitting > behind what I consider to be a *very* secure firewall I find it hard to > believe that anyone has compromised our box. even the most secure firewalls in front of web servers have to allow port 80 through, and thats how it spreads :( everyone can expect more and more of this if 'web services' - that all flow over port 80, which is typcially open on the firewall - really take off sadly. anyways, shout if you have more questions :) .djc.