During outbreaks of fast Internet worms the characteristics of network flow data from backbone networks
changes. We have observed that in particular source and destination IP and port fields undergo compressibility changes, that are characteristic for the scanning strategy of the observed worm. In this paper we present measurements done on a medium sized Swiss Internet backbone (SWITCH, AS559) during the outbreak of the Blaster and Witty Internet worms and attempt to give a first explanation for the observed behaviour. We also discuss the impact of sampled versus full flow data and different compression algorithms. This is work in progress. In particular the details of what exactly causes the observed effects are still preliminary and under ongoing investigation.