Three quick investigation moments from 2004:
March: Witty traffic from inside my range. Investigation: a friend's BlackICE-running laptop. Lesson: even on minor worms, the impact reaches the few who run the affected product.
May: Sasser scans saturating my upstream. Investigation: legitimate worm traffic. Lesson: the bandwidth cost of worm tails compounds over months.
August: an unexpected inbound connection. Investigation: a Sebek capture of an attacker who had compromised the honeypot via a MyDoom backdoor. Lesson: the worm-backdoor-as-substrate pattern continues.
Have a safe night.