Threatpost posted a story that the Morto worm that began compromising machines via open RDP services this past weekend is continuing its work, going after workstations and servers and creating large amounts of network traffic from TCP port 3389.
"Once a new system is compromised, it connects to a remote server in order to download additional information and update its components. It also terminates processes for locally running security applications in order to ensure its activity continues uninterrupted. Affected users should note that a reboot may be required in order to complete the cleaning process," Hil Gradasevic of the Microsoft Malware Protection Center wrote in an analysis of the Morto infection routine.Morto Worm Continues to Squirm, Windows 7 Infections Reported
Morto also has the ability to launch a DoS attack against a selected target specified by the remote attacker.