"Stealth" Agobot/Gaobot?

[Jeff Kell <jeff-kell () UTC EDU>]

Twice today I have seen indications of Agobot infections.  As has been
my usual procedure, I nmap the beast, try nbtscan for NetBIOS info, then
shut down the port.  But nmap indicates nothing other than 135/139/1025
and the scanning stops.

Is this a new "stealth bot" that shuts down or sleeps for awhile if it
detects a scan?

This is getting creepy.

Jeff Kell
University of Tennessee at Chattanooga

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.