Alert from SANS, the LION worm (similar to Ramen) is now in the wild.

http://www.sans.org/newlook/home.htm
http://www.sans.org/current.htm

http://www.redhat.com/support/errata/RHSA-2001-007.html

It uses vulnerable versions of BIND (8.2, 8.2-P1, 8.2.1, 8.2.2-Px and all
8.2.3-beta versions).  It installs the t0rn rootkit on a system and then scans
a random class B subnet trying to find more vulnerable systems to infect.