As discovered by D.W., this is in fact part of recommended IDEA implementation. IDEA uses $a\cdot b \bmod (2^{16}+1)$, with a special case of handling $0$ as $2^{16}$. From the Handbook of Applied Cryptography, note 7.016:
Note (implementing $ab \bmod 2^{n}+1$) Multiplication $\bmod 2^{16}+1$ may be
efficiently implemented as follows, for $0 \leq a, b \leq 2^{16}$ (cf. §14.3.4).
Let $c = ab = c_0·2^{32} +c_H·2^{16} +c_L$, where $c_0 \in \{ 0, 1\}$ and
$0 \leq c_L, c_H < 2^{16}$. To compute $c' = c \bmod (2^{16} + 1)$, first
obtain $c_L$ and $c_H$ by standard multiplication. For $a = b = 2^{16}$, note
that $c_0 = 1$, $c_L = c_H = 0$, and $c' = (−1)(−1) = 1$, since
$2^{16} \equiv −1 \mod (2^{16}+1)$; otherwise, $c_0 = 0$. Consequently,
$c' = c_L − c_H + c_0$ if $c_L \geq c_H$, while $c' = c_L − c_H + (2^{16} + 1)$ if
$c_L < c_H$ (since then $−2^{16} < c_L − c_H < 0$).
Which is exactly consistent.
This of course leaves me with some greater questions, such as how IDEA is secure with only linear operations, and where I can read more about it (there's precious little deep discussion online), but those are for a different post. One other interesting thing is that, unlike other ciphers with constant tables, it's not trivial to look at binary code and recognize IDEA. You can scan for $2^{16}+1$, but that's not as certain as for instance finding the md5 table.
