It's out there. I've seen logs indicating the attacker put a "root.exe" file
on the IIS5 host and then were able to issue a command to run this file via
the overflow. I don't have any more specific information on the contents of
the root.exe file or the exact script used, etc. at this time.