Symantec's analysis was more specific in pegging possible causes for the uptick in port 139 activity.
"A new variant of Spybot named W32.Spybot.AKNO has been discovered propagating in the wild," Symantec said in a warning issued early Thursday to users of its DeepSight threat management service. The bot -- designed to infiltrate a system, then download additional malicious code to hijack the computer so it can be used as a spam zombie or for other criminal activities -- also contains a rootkit component, Symantec added. A rootkit is code that cloaks a worm or bot to make it harder for anti-virus software to both detect and delete the malware.
"That Spybot picked this up [an MS06-040 exploit] isn't surprising," said David Cole, the director of Symantec's security response team. "Spybot is one of the most prevalent bots out there. What is interesting is that it also threw in rootkit capabilities." Symantec also said that it had received reports of a worm in the wild that was using the MS06-040 vulnerability to attack PCs running Windows NT 4.0. An initial report posted to the Full Disclosure security mailing list was "extremely vague," said Symantec, which has been unable to reach the researcher who reported the worm, and so has no sample code to examine. Other researchers writing to the Full-Disclosure noted that the malicious code also successfully attacks Windows 2000 systems.
The new Spybot and the attack against Windows NT machines seem to be separate, Symantec said. It has deployed honey pot systems in the hopes of collecting a sample of the new NT worm.
Windows NT users are particularly vulnerable to attack, Cole added, since the aged operating system has been dropped from Microsoft's support list; the Redmond, Wash. developer stopped issuing security fixes for NT on the last day of 2004.