is a zombie, haven't found any content that causes is spread.. very strange...
name=$comp ($v2/$ver) [$dtime] $cpu $os
vreply=mIRC v6.14 Khaled Mardam-Bey
perform=join #bok 1
those are 4ip+ports for 2 servers.. both are unrealircd beta19 modified servers... and they are linked to each other. /map is blocked, /links seems to work, /lusers is blocked, no modules loaded (so source was editted).
zombies will show up like.:
invz81956 is dark@**********.**********.** * KLAAS (invz/33) [21-05-2004 23:56] 1,55GHz Windows
invz81956 using kotu.deligomlegi.com tyrants
invz81956 has been idle 2secs, signed on Sat May 22 09:04:08
invz81956 End of /WHOIS list.
The channel #bok itself is +smntuk 1 and no ops present (so can't see anyone)...
also /list was modified to not show the channel even if I'm in it (normally you can see the usercount).
The virus itself (or actually 1 of them, scan.exe, the zombie) is caught as Backdoor.Delf.lq by f-secure.
Now this is all very interresting, but this isn't the "primary trojan" you are talking about ;)... For some reason I was unable to find that one...
Perhaps they used this primary trojan to execute a secondary virus (the one I just described) which is the backdoor... Ah well.. who cares.. I'll just add the sig you used into cvs ;).