FYI...from Symantec: http://securityresponse.symantec.com/avcenter/venc/data/backdoor.irc.cirebot.html "...Backdoor.IRC.Cirebot is a threat which exploits the Microsoft DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) to install a backdoor Trojan Horse on vulnerable systems. Backdoor.IRC.Cirebot consists of a Backdoor component, and a Hacktool component which installs the backdoor on systems which are vulnerable to the exploit. Signs of infection: the existence of the files c:\rpc.exe, c:\rpctest.exe, or c:\lolx.exe. Signs that a network is being attacked: traffic on port 445 to sequential IP addresses. Signs that an attack has succeeded (allowing a remote shell and downloading of the backdoor): port 57005 open; an ftp connection on port 69..." - See also this thread: http://www.wilderssecurity.com/showthread.php?t=11991;start=msg77483#msg77483.