RE: SNMP worm?

["David Gillett" <gillettdavid () fhda edu>]

  Thanks to everyone who responded.

  Under further investigation, the sources turn out to be
two machines used by a single individual employee, and one
machine in an isolated lab not connected to the main network.
(The latter was initially over-reported by the lab supervisor.)
My initial fear that we were on the brink of an outbreak does
not appear to have been realized.

  The employee works in a department which operates various
power, water, HVAC, etc systems.  We're checking into the 
possibility that they have a new/demo program to monitor that
equipment.  However, all such equipment lives on its own
private VLAN, and any traffic relating to it ought to be
pointed there.
  What we were seeing was traffic on our main user VLAN:
unicast traffic targeting specific network infrastructure
equipment (possibly part of a sweep of the whole address
range), and broadcast traffic to the whole VLAN.  And
unfortunately we have a few legacy pieces of equipment 
that found this difficult to handle; some recovered on 
their own, some didn't(!).

  Checking specifically for other SNMP traffic has uncovered
a couple of interesting anomalies.  Most of it is clearly
workstations monitoring the status of nearby printers -- 
although in one case it appears that a visitor is trying to 
monitor a printer at their usual location, hundreds of miles
away.  (Since we block SNMP at our borders, this isn't 
actually working....)
  But a couple of machines seem to be regularly polling specific
target addresses (one per source) in unpopulated regions of our
address space.  Harmless so far as I can tell, but definitely
odd.

  Again, thanks for the assist.

David Gillett