Wish I had more time to play with this, but ran an 'od -c' on the binary (was hoping to catch a look at what data was being passed to the particular calls, like gethostbyname, etc...

Might look around in there and see if you can kind a packed address that it is trying to connect to...

0167100 W S A F D I s S e t \0 \0 5 \0 a c
0167120 c e p t \0 \0 \0 \0 6 \0 b i n d \0 \0
0167140 7 \0 c l o s e s o c k e t \0 \0 \0
0167160 8 \0 c o n n e c t \0 \0 \0 ; \0 g e
0167200 t h o s t b y n a m e \0 E \0 h t
0167220 o n l \0 F \0 h t o n s \0 G \0 i n
0167240 e t _ a d d r \0 J \0 i o c t l s
0167260 o c k e t \0 \0 \0 K \0 l i s t e n
0167300 \0 \0 \0 \0 O \0 r e c v \0 \0 T \0 s e
0167320 l e c t \0 \0 \0 \0 U \0 s e n d \0 \0
0167340 Z \0 s o c k e t \0 \0 \0 \0 j \0 C o
Anyone brave enough to try pulling this up in a debugger? I'd be real curious to know what
was at those memory blocks...I get the feeling it may be some kind of a trojan, or even a worm ... dunno, like I said, wish I had more time to play with it

EDIT: Since I don't really have time to mess with it, I submitted to securityresponse@symantec. I will post any feedback I get from them.

/nebulus