Botnet is back, and some info FYI.

[BahdKo <bahdko () erols com>]

Hi everyone,

I wanted to let you know how this worked out.

The packets that were coming into my network stopped for a few days, and then restarted. This time, I was ready with netcat. I 
had netcat listen on port 3127 and grabbed the payload from a couple of connections. It looks like the bots are using a utility 
from the www.steelbytes.com website ("port tunnel" maybe), and when Norton Antivirus looked at the file, it identified 
it as being related to or otherwise infected with Bloodhound.Mydoom.Cli. I have the contents from one of the tcp sessions up at 
http://www.sbbsnet.net/netcatfile.gz, if anyone wants to see it. This file may contain the actual virus.

Regards,

--Laura