In another list (in a galaxy far, far away) there was discussion about how to determine if a compromised system had been affected by the VML exploit. This would usually be evident on workstations, but I do know from experience that admins are known to surf from servers, too. ;-(
Anyway, the discussion of signatures and artifacts eventually lead to two things; first, one cannot rely on the filenames of payload alone...such things do not make good signatures, as they are too easily changed. The other is that a *potential indicator* of the exploit being used is the last access time on the DLL file in question. This is something that can be easily checked via a ProScript...having the last access date may be useful in narrowing down the timeline, particularly if you're coordinating it with Temp Internet Files and other MAC times within the file system.
Harlan