I have found a handful of machines that showed up with a virus infection that Symantec will not detect. It's rather simple too. A process "Svhost.exe" runs from either c:\Windows\system32\Svhost.exe or as a prefetch file (.pf extension). In the registry Run key, it just loads Svhost.exe with the name "Microsoft Update".
It's very easy to remove - just end the process, delete the file, and delete the reg entry. Then run Windows Update and install all critical fixes.
What I can't figure out is why the major antivirus vendors are not detecting such a simple variant. I was able to upload a sample file to Kaspersky and have it analyzed as Backdoor.Win32.Rbot.hf, but it's an incorrect analysis. The description of that variant does not match the characteristics of what we're seeing. A submission to Symantec reveals it to be an SDBot variant.
I have found that this virus acts as a trojan and is communicating to the same IP. It's either a denial of service attack or part of a zombie network. I have contacted the directors of the network the IP belongs to, and hope they will remove the server from the public.
Also to note, so far I have only seen Windows XP machines get infected with this virus. If any one else catches this please let me know what you find out.