Unidentified Trojan?

[rginski () CO PINELLAS FL US (Richard Ginski)]

We have been monitoring some strange activity regarding a possible trojan on some of our systems. Unfortunately, this 
explanation has to be long, in order to paint the whole picture:

1) We first noticed that there was a problem when we noticed that two of our INTERNAL DNS servers appeared to be 
affected by DNS cache poisoning. It was stumbled on accidentally when someone entered a typo in a URL (ommitting a ":" 
when specifying a port number to one of our intranet sites) and was re-directed to a porn site: 216.65.124.73 
(internalmachine.domain&portnumber). We figured it was cache poisoning because I could not fathom that the DNS servers 
would "learn" a host address for which there are no root servers for.

2) I checked our firewall logs as to who may have also (involuntarily) been connecting to this IP address 
(216.65.124.73) and found over 25 machines trying to connect to this site using different port numbers (not HTTP). 
First, the machines used ping (we don't allow outbound ping), then used various ports. Finally, the machines just tried 
to connect to this site using CIFS. 

It appears that once the machines are turned on, the "trojan" activity would begin. We tried to narrow down what could 
be causing this (activity went on for two days) then the activity ceased. Anti-virus software has always been installed 
on these machines (Inoculan) and we manually scanned one of the machines just to make sure the real time scanner did 
not miss anything. Nothing was found. The dates for which this occurred were 4/26 and 4/27. During those two days were 
able to restart/login to these machines and watch the activity a sniffer as we tried to determine the culprit.

3) We felt we had taken a number of precautions to prevent any further damage, including, notification when any more 
attempts were made to connect to the IP address 216.65.124.73.

4) Well, it started happening again on Tuesday of this week (5/16) and continued till yesterday (5/17). It appears that 
now the "destination port of choice" is TCP port 524 to the same IP address, for which I can not identify for any type 
of service. Approximately, 25 machines (different machines than the machines before, on different network segments)  
were affected. Unlike before, we could not reboot/login to these machines and cause them to make additional connection 
attempts which seemed to stimulate the activity before.

5) Today (5/18), no connect attempts were made to 216.65.124.73. However, doing a search on destination port 524 
revealed that machines are now trying to connect to some of our HTTP servers in our DMZ.

All of the machines affected are Windows based (95/98 and NT). 

To the best of our knowledge, all attempts to connect to this outside address have failed due to our firewall.

Has anyone had any experience with this behavior? Can anyone identify TCP port 524?

Any input would be greatly appreciated!