new(?) windows irc ddos trojan

[Pete Schmitt <prschmitt () HOME COM>]

Hello, all.
        Subscription to the list from the web site isn't working right now, so
I'm flying blind at the moment. Please forgive me.
        I've just recently flushed what seems to be an IRC oriented trojan from
a family w98 box. It took a full reinstall to accomplish that, as Norton
(fully updated) failed to do so.
        Much web searching for the particulars of this beastie have found
nothing, so I'm turning to you folks.
        Here's the skinny:
        When it's running, a netstat -an shows the following (smb stuff left
out for clarity):
TCP     0.0.0.0:1029    0.0.0.0 listen
TCP     0.0.0.0:113     0.0.0.0 listen
TCP     192.168.1.2:1029 199.173.178.35 EST #this is dalnet.away.net

        The 192.x.x.x address is my local NAT'ed address. I'm running behind a
Linux-router project firewall box. Hence, our little friend couldn't
complete his duties.
        As you can see, it seems to be running an identd service. Makes sense,
since the packets generated contained repeated IRC login attempts under
the monikker "Joe Blow".
        I've posted to the LRP mailing list about this thing, but noone has
seen it before. The closest I can find on the web is that Kriz trojan,
since it hoses avp32.exe as well (the only thing Norton detected,
unfortunately).
        I have ethereal packet dumps of what it's up to. All I need is a place
to send them.
        Thanks much.
        Pete.

--
- Nobody moves very much in a Hanna Barbera cartoon! - Zorak
- Philip Glass! Muzak for the new millenium!
- Prschmitt at home dot com http://www.geocities.com/prschmitt/