Strange port 135 probing, possibly a bot

[Jeff Kell <jeff-kell () UTC EDU>]

For the past few days we have had a dozen or two machines pop up with
some as-yet-unidentified virus/worm/bot that appears to try to connect
to random addresses in the same /8 subnet as the host on tcp/135.  I
have seen no other traffic from these hosts.  I can't get a packet
capture of any meaningful payload because the outgoing SYNs are being
blocked by our access lists at the border.

nmaps are not terribly consistent other than all apparently sharing
tcp/113 being open.  Symantec AV with latest definitions doesn't find
anything, nor does SpyBot, HijackThis, Stinger, or a number of other
tools we have tried.  Our field crews have come up empty thus far and
I'm waiting on an empty machine for forensics.  The startup registry
entries didn't have any glowing sore thumbs, so the beast is well
hidden, or installs as a wrapper to a legitimate service.

I haven't seen anything posted about unusual tcp/135 activity, although
there was an upswing in it according to DShield (before their database
went belly-up).  Has anyone seen anything like this recently?

Jeff Kell
System/Network Security
University of Tennessee at Chattanooga

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.