We had an instance of a rare virus on campus last night, only TrendMicro has a writeup about it yet, but I submitted a copy of it to Symantec, our antivirus vendor, and they've supplied me with beta defs to stop it. They're calling it W32.Gaobot.SN, and it lives in a file called msgfix.exe From what I could see, it attacks machines with weak or blank Administrator passwords, then attempts to spread to other machines on the network. It also listens on port 6667 for instructions from the creator of the worm, so that it may do his dastardly bidding. Cleanup is pretty easy, just stop the process, delete the file, and remove the registry entry that calls it when the machine starts. Hopefully Symantec will have a writeup about it soon...