[nsp-sec] 130K+ Infected Ips on ~3600 ASNs
Stephen Gill
gillsr at cymru.com
Thu Oct 1 17:16:08 EDT 2009
We seem to have over 200 samples heading in that general direction. I guess
that makes sense considering the file infection properties it has. We're
once again back to the traditional days of virii and file infectors are
doing rather well.
I can send you the full hash list if needed.
A couple of the URLs in question came from:
hxxp://hotshows.org/1.exe
hxxp://lmageshack.org/img/imgrav.jpg
Some files are also grabbed from rapidshare.
Some AV names:
TrojanDownloader.Pher.awe
Win32.HLLW.Lime.18
Win32/Injector.JJ
Another:
W32/CeeInject.C.gen!Eldorado
Trojan.Agent.ATV
Win32/Injector.PY
BScope.Dropper.Gen.15
One of the more complete sets from an older virus, scanned 09/07:
Ahnlab KR Win32/Boaxxe.worm.Gen 2009-09-05 09:28:25
Alwil (avast) CZ Win32:Rimecud-B [Wrm] 2009-09-07 01:36:26
Arcabit (arcavir) PL no_virus 2009-09-04 19:28:00
Authentium US W32/Palevo.B 2009-09-06 18:32:07
Avira (antivir) DE TR/Crypt.ZPACK.Gen 2009-09-06 13:03:12
BitDefender RO Worm.P2P.Palevo.B 2009-09-06 21:55:27
CA (E-Trust Vet) US no_virus 2009-09-05 01:57:12
CAT (quickheal) IN Worm.Silly 2009-09-05 16:08:50
Central Command (vexira) US Worm.Palevo.Gen!Pac 2009-09-06 04:00:00
ClamAV no_virus 2009-09-06 09:41:03
CPsecure US no_virus 2009-09-07 00:00:00
Cybersoft (vfind) US no_virus 2009-09-04 11:32:27
Dr. Web RU Win32.HLLW.Lime.18 2009-09-07 01:21:27
Eset (nod32) US Win32/Injector.PT 2009-09-06 19:18:16
Fortinet US no_virus 2009-09-06 09:23:43
Frisk (f-prot) IS W32/Palevo.B 2009-09-06 19:12:04
F-Secure FI Worm:W32/Palevo.gen!A P2P-Worm.Win32.Palevo.ann
2009-09-06 19:29:23
Grisoft (avg) CZ no_virus 2009-09-06 20:48:03
Hauri (virobot) KR no_virus 2009-09-04 14:49:01
Ikarus AT P2P-Worm.Win32.Palevo 2009-09-07 02:22:38
Kaspersky RU P2P-Worm.Win32.Palevo.ann 2009-09-07 02:01:52
Mcafee US no_virus 2009-09-06 05:30:00
MicroWorld (escan) IN P2P-Worm.Win32.Palevo.ann 2009-09-07 02:13:19
Norman NO no_virus 2009-09-04 13:09:13
Panda ES no_virus 2009-09-06 07:06:48
Rising CN no_virus 2009-08-24 03:48:59
Securecomputing (webwasher) US Trojan.Crypt.ZPACK.Gen 2009-09-06
12:29:19
Sophos GB W32/Rimecud-A 2009-09-07 06:31:29
Symantec US Trojan Horse 2009-09-06 08:00:00
TheHacker PE no_virus 2009-09-03 22:55:39
Trend Micro JP no_virus 2009-09-01 23:44:00
VirusBlokAda (vba32) BY BScope.Backdoor.SdBot.ofx 2009-09-07
01:42:10
VirusBuster HU Worm.Palevo.Gen!Pac 2009-09-06 19:54:08
Hope that helps!
-- steve
On 10/1/09 12:56 PM, "Chris Calvert" <Chris.Calvert at telus.com> wrote:
> Any MD5 or SHA* hashes available for this malware? Other names? I'm not
> getting too far in researching this beyond what's on the Prevx site
>
> chris
>
>> -----Original Message-----
>> From: nsp-security-bounces at puck.nether.net [mailto:nsp-security-
>> bounces at puck.nether.net] On Behalf Of Stephen Gill
>> Sent: Thursday, October 01, 2009 11:48 AM
>> To: NSP-SEC List
>> Subject: [nsp-sec] 130K+ Infected Ips on ~3600 ASNs
--
Stephen Gill, Chief Scientist, Team Cymru
http://www.cymru.com | +1 630 230 5423 | gillsr at cymru.com
More information about the nsp-security
mailing list