This new CodeRedII is moving way faster than the previous

This thing is hitting hard! I got bored and thought I'd through some
stats/info together...

So far, since 9:16am on 7/19, I've seen 485 CRv1 attacks from 257 unique
IPs on my cable modem.
Since 6:49am today, I've been hit 472 times from 133 unique IPs with this
new "CRv2" worm.

- All infected systems seem to try each scanned IP twice whereas the
original only tried once, which probably will help its infection rate.
Seems odd though as both tries use the same source port. Could just be
my snort rules...

- It has the word "CodeRedII" hard coded in the packet, so its obviously
a copycat or at least a fairly recent revision.

- *Appears* to be hardcoded to use the d:\inetpub\scripts and d:\progra~1
\common~1\system\MSADC directories. Assuming you are not using this
path, are you still vulnerable?

- Either copies cmd.exe or creates a new file named root.exe in those

- I'm seeing almost only cable modem systems now. Appears businesses
may have finally gotten their acts together.