[Michael]

In the past few days, I've seen a fair number of Koobface worms being spread.

My Russian is a little rusty, so I hope it does not say something offensive ;-)



This is what our HoneyPots have recorded since July 1st:

www.bnmq.com;82.19.199.223/pid=30937/setup.exe;7/6/2009 11:52:51 AM;7/6/2009 11:52:51 AM

www.bnmq.com;90.8.115.225/pid=30937/setup.exe;7/6/2009 11:52:51 AM;7/6/2009 11:52:51 AM

wpills.info;62.42.136.234/pid=30937/setup.exe;7/6/2009 10:40:20 AM;7/6/2009 10:40:20 AM

of-best.ru/18;69.253.126.166/pid=30937/setup.exe;7/6/2009 2:52:16 AM;7/6/2009 2:52:16 AM

of-tube.ru/analnij;89.117.93.205/pid=30937/setup.exe;7/6/2009 2:03:01 AM;7/6/2009 2:03:01 AM

wpills.info;95.52.12.5/pid=30937/setup.exe;7/5/2009 12:11:51 PM;7/5/2009 12:11:51 PM

www.wpills.info;86.120.67.34/pid=30937/setup.exe;7/5/2009 12:11:51 PM;7/5/2009 12:11:51 PM

webshoulder.com;83.255.102.213/pid=30937/setup.exe;7/5/2009 10:59:27 AM;7/5/2009 10:59:27 AM

freese-x.net;64.252.251.203/pid=11640/type=videxp/setup.exe;7/5/2009 8:14:10 AM;7/5/2009 8:14:10 AM

www.bnmq.com;24.10.185.103/pid=30937/setup.exe;7/4/2009 11:54:59 AM;7/4/2009 11:54:59 AM

www.bnmq.com;86.63.248.5/pid=30937/setup.exe;7/4/2009 11:54:59 AM;7/4/2009 11:54:59 AM

wpills.info;82.234.15.92/pid=30937/setup.exe;7/4/2009 10:42:34 AM;7/4/2009 10:42:34 AM

tubemov.com;67.206.207.29/pid=11640/type=videxp/setup.exe;7/3/2009 10:47:25 PM;7/3/2009 10:47:25 PM

freese-x.net;76.254.150.45/pid=11640/type=videxp/setup.exe;7/3/2009 5:12:42 PM;7/3/2009 5:12:42 PM

wpills.info;98.238.203.81/pid=30937/setup.exe;7/3/2009 11:38:13 AM;7/3/2009 11:38:13 AM

www.wpills.info;76.204.18.251/pid=30937/setup.exe;7/3/2009 11:38:13 AM;7/3/2009 11:38:13 AM

tubemov.com;60.49.118.173/pid=11640/type=videxp/setup.exe;7/1/2009 10:49:50 PM;7/1/2009 10:49:50 PM

If you study those links in depth, you will find even more malware.

Virus Total Detection



Jerome Segura

Malware ID: b054ff88fdd28d41a27af2e8ee919b73.zip