Thanks very much.

The last one we had was removed a few days ago. We cleaned them by doing what you said Undertaker and removing the registry key and the file mso.exe from the system directory.

Unfortunately, I removed the file and don't have a copy anymore, but I will keep my eyes open, I must have it zipped somewhere. The help desk has just been deleting it on the spot.

It was a very cleaver version that communicated to certain IP's only at certain times. I discovered it by seeing traffic using 6667 to one IP. When I blocked it, it went to another IP.

Now its a new version on Mydoom that I have been seeing, but liy it looks like we have stopped it by updating epo at just the right time. Looks like its my full time job now.