Last month, Phatbot made the rounds, attacking Windows systems by acting as a Trojan horse. Phatbot would then link infected computers into an underground network for sending spam or launching other attacks. SANS is currently in the process of attempting to capture a full packet of data--or an executable file--for further analysis of Phatbot.
The worm probes Transmission Control Protocol ports 2745, 1025, 3127, 6129, 5000, 80 and 1433, as well as Microsoft's NetBIOS, according to the SANS report.
"There has also been conjecture that the port 1981 increase is potentially also connected to another variant of Phatbot," SANS noted in its handler's diary.
Phatbot relies on "peer to peer" technology, which makes it more difficult to eliminate, because there is no central command center for its network.
"The Phatbot has been morphing and changing daily," said Marcus Sachs, director of SANS Internet Storm Center. "We're conjecturing that this is another version of Phatbot."
Microsoft, meanwhile, said it has not received any new reports of the Phatbot worm, a company representative said.