Good to see you back online, Geoff!
From what I read, the worm connects to the system and determines
whether the system is RH6.2 or RH7.0. Those are the only two systems that
it's interested in. If it's RH6.2, a buffer overflow attack is tried on
the wu-ftp daemon, if any is running. If 7.0, it goes after LPD in a
similar way. Last june, RedHat released a new wu-ftpd for RH6.2, and
some time in earli October, I think, RH released a new version of LPRng
for 7.0.
Both fixes address the above mentioned problem.
HTH.
Bill
