New trojan? Old trojan with new characteristics? Anyone seen this?

[Mike Parkin <mparkin () cisco com>]

Not often I post to the list.

Lately the IRC network I help run (away from work) has seen a large
number of host connections with a pattern similar to numerous other
trojan/malware infections that have an IRC element.  Namely: Similar
nicks, user@, and real name fields.  In this case the nicks are all one
of several similar patterns (repeats lead us to believe it may be chosen
from a list), the User@ is always javauser@ (I haven't actually seen a
legitimate java client with this ident, though there may well be one.)
and the Real Name field is always a pattern of "nnnnn 1" where nnnnn is
a five digit random number.

Hosts have been spotted from all over the world.  Cursory scans indicate
the boxen involved are Windows systems running IIS.

I'm wondering if anyone knows what Trojan or worm this is.  We've
encountered several others in the past, and this one isn't quite like
any of the others.  All the connections generate a low level of traffic
as indicated by sub 2 minuite idle times.  None of them join channels
(as most floodnet bots do, so their controller can get to them) and none
of them appear to respond to msg or dcc contacts. 

Is this an old one I've missed?  A new one?  A new config on an old
worm?  A large number of really strange java client users?

Any insite would be appreciated.

-M


----------------------------------------------------------------------------
Is SPAM over-loading your e-mail server, disk space or bandwidth?
SurfControl E-Mail Filter is flexible, intelligent and policy-driven
protection.
http://www.securityfocus.com/SurfControl-incidents2
Download your free fully functional
trial, complete with 30-days of free technical support.
Stop SPAM before it stops you.
----------------------------------------------------------------------------