Peter Van Epp wrote:
> 	Still don't know what it is (several AV programs find nothing but the
> machine is still infected), but it is calling home to port 30591 on a variety
> of hosts (many of them apparantly web hosting sites such as theplanet.com)
> after which they start scanning for port 445 according to argus.

Haven't seen it here yet (just checked) ... but if anyone has dumps of 
the controller traffic (eg: -s 1500 port 30591) please make it available.


