[nsp-sec] Anyone in China? Virusfiles hosted at youryearcard.com (multiple AS) Mal/WaledPak-A(Sophos)

Thu Jan 15 03:29:02 EST 2009

Hello,
youryearcard.com seems to be a nasty piece of domain, hosting viruses.
We've been getting the "Robert has sent you a greeting card"-type of e-mails 
with an included file "card.exe" (scanned as Sophos Mal/WaledPak-A) and a 
download link.
Snipped from actual e-mail (headers available) :
>>Robert created a ecard.
>>Collect Your E-card here: http://youryearcard.com/?id=4e 28ce089c112
>>Webmaster, Cardweaver.com

The domain itself seems to move around a bit - would be nice to have it 
removed.
Right now it points to :

Name: youryearcard.com
Addresses:
AS 37903 | 114.48.9.77 | EMOBILE eMobile
AS 4134 | 116.209.159.140 | CHINANET-BACKBONE
4812 | 116.234.17.26 | CHINANET-SH-AP
4134 | 116.30.3.194 | CHINANET-BACKBONE
17488 | 116.75.24.223 | HATHWAY-NET-AP
9241 | 119.235.96.88 | FINTEL-FJ Fiji
9498 | 124.123.96.207 | BBIL-AP BHARTI
4134 | 125.118.151.123 | CHINANET-BACKBONE
17974 | 125.167.144.36 | TELKOMNET-AS2-AP
1736 | 134.48.138.33 | MU-AS
1736 | 134.48.138.33 | MU-AS
855 | 156.34.176.48 | CANET-ASN-4
1659 | 163.25.91.65 | ERX-TANET-ASN1
9274 | 164.125.148.142 | PUSAN-AS-KR
4665 | 165.132.20.161 | YONSEI-AS-KR
8581 | 195.130.117.153 | UOI
28555 | 201.166.55.147 | Cablemas
17222 | 201.76.168.134 | Mundivox
9756 | 210.210.249.177 | CHEONANVITSSEN-AS-KR
9683 | 211.36.170.215 | DIGITALSYSTEM-AS
1241 | 213.16.135.62 | FORTHNET-GR
3301 | 213.66.97.222 | TELIANET-SWEDEN
6830 | 213.93.5.156 | UPC
6304 | 216.16.66.37 | PRAIR-1
4134 | 221.226.85.8 | CHINANET-BACKBONE
7016 | 24.3.116.21 | CCCH-AS2
4837 | 60.220.141.22 | CHINA169-BACKBONE
4134 | 61.185.3.121 | CHINANET-BACKBONE
577 | 65.94.95.36 | BACOM
33490 | 67.171.160.48 | DNEO-OSP5
20115 | 68.118.2.55 | CHARTER-NET-HKY-NC
33666 | 68.46.234.226 | DNEO-OSP7
6327 | 70.65.133.238 | SHAW
20115 | 71.10.230.45 | CHARTER-NET-HKY-NC
7132 | 71.140.91.180 | SBIS-AS
7992 | 72.39.202.70 | COGECOWAVE
7132 | 76.202.182.176 | SBIS-AS
8551 | 84.109.69.103 | BEZEQ-INTERNATIONAL-AS
20875 | 85.94.134.71 | HPTNET-AS
9121 | 85.96.37.108 | TTNET
12322 | 88.183.217.78 | PROXAD
8402 | 89.179.242.71 | CORBINA-AS
34779 | 89.212.4.40 | T-2-AS AS
8382 | 92.124.13.134 | IRTEL-AS Irkutsk

Thanks,
Veronika
SUNET CERT
veronika.berglund at cert.sunet.se