hey guys

We (just like a lot of companies) got caught sleeping. We were hit yesterday by the sasser virus. Most of our machines have the MS security patch now and are protected. We have found that if we take a machine off the network (physically) it will not do the reboot. Leads me to believe that some infected machine on the network is broadcasting somesort of shutdown command to the rest. Is this what I have read about "broadcasting over port 5544". Is there a way that I could find on our network what machine is doing this broadcast to the others? Mind you we do not have a sniffer in place.

Thanks in advace.