I figured the old thread displayed the detail better, and since people often don't follow links to old threads they wouldn't have to...... that said, someone has already replied without reading the previous thread

I used the tcpdump args requested by a previous poster to provide more details.

I've since read the follwing URL. Not sure if it throws any light on the subject:

http://securityresponse.symantec.com...ster.worm.html

Also there is a nother lengthy thread here:

http://www.dslreports.com/forum/rema...flat~days=9999

Which culminated in the following link:

http://groups.google.com/groups?q=g:...40pita.alt.net

Apologies if I broke any etiquette by dredging up an old thread.

T.