UDP 138 Traffic to non-existant servers (only from XP machines)

[bp1169]

I have a NT4 domain with 10 subnets geographically seperated connected by frame relay. Each of these locations has several xp pro machines. While watching the firewall logs I have noticed a lot of udp port 138 traffic originating from almost all of these xp machines. The traffic is attempting to reach port 138 on non-existant servers on the network. The servers they are trying to reach did exist at one time (3 or more years ago). I have checked wins to ensure there are no entries for these servers and there are no entries. The odd thing is that it only comes from xp machines, the nt, 9x machines (75% of the pcs on the network) do not have this problem. Any ideas as to why this happening? Thanks!

 

[1101001100110101]

It could be blaster or one of its variants I would do and updated virus scan on the pc's. Also Udp port 138 is used for Browsing datagram responses of NetBIOS over TCP/IP according to Microsoft. Which could be browser elections, host announcements, local master announcements etc going on in the network.

 

[bp1169]

Thanks for your reply, I was thinking that it could be a virusas well. I did verify that none of these pcs are infected. We have several layers of virus protection and my organization is quick about patching systems as the patches are made available.

Also, this problem occurs on almost every xp pc, including a new HP laptop I just pulled out of the box today. I'm not sure where the problem lies, maybe its in the network and only xp can "see" these stale server entries. The pc's are all on DHCP, and I have verified that no stale server entries exist in the scopes. I'm probably going to hold this new laptop for a while and start shutting off services to see if its a service that may be causing the problem. I've heard some problems related to network browsing in the WebClient service, so I may look down that avenue.

Any other thoughts are appreciated.