There has been a recent increase in scanning on port 139 as reported by the ISC
MS06-040 - Worm Developments
QUOTE: It appears, in typical antivirus fashion to be named several things: McAfee is calling it "W32/SDbot.worm!MS06-040", Sophos is calling it, "W32/Vanebot-A", and Symantec is calling it, "W32.Randex.GEL". (Yes, it's been out for a couple days)
Let's take a look at this bad boy shall we? How does it spread.. well, it uses: MS04-007, MS05-017, MS05-039, and of course, our favorite bug of the moment, MS06-040.
This one should be relatively easy to catch, look for machines pounding away over port 139 (from reader submissions it's about 150 machines in just a few seconds, so it should be noisy), look for connections via IRC to a malicious website over port 4915. (Until the next variant changes it, and we know it will). It has the ability to do a bunch of things including spreading to network shares.
1. FIREWALL -- As always, (and it should have been done for years now), block 139 and 445 at the router/firewall. Netbios traffic shouldn't be allowed to exit or enter your network from egress points anyway.
2. AV PROTECTION -- Update your antivirus. At least daily.
3. SECURITY UPDATES -- Patch. You know the deal by now.