Hi, We in the Honeynet Project has been following this for the last 4-5 months. We call it sundayddr because of the User-Agent. Ben in Australia has written more about it here: http://honeynet.org.au/ I have also written about it here (back in July) http://www.usken.no/2010/07/using-botnets-to-do-sip-scanning/ It is a botnet client with both a SSH and a SIP scanner (based on SIPVicious by Sandro Gauci) (www.sipvicious.org) Most infected machines doing this scanning are located in China contact me if you need any more information. cheers sjur www.usken.no