NEWS FROM THE LAB - Tuesday, May 18, 2004

The weird traffic is generated by two worms Posted by Mikko @ 03:22 GMT

Turns out the Bobax worm also generates port 5000 traffic.

Unlike the SdtBot aka Kibuv worm (which is based on the SdBot family), Bobax does not try to infect machines through this port. It just uses it to fingerprint the target system.

Bobax is yet another spammer-related worm, creating networks of proxy machines that spam gangs can use to send unsolicitated bulk email.

Right now we can't determine which of these two worms is generating more of the 5000/TCP traffic. Nevertheless, more than 400,000 IP addresses have been seen scanning for this port over the last days.