[nsp-sec] Attn SoftLayer (AS36351) - Rimecud URL hosted

Nicholas Ianelli ni at centergate.net
Tue Jan 11 17:38:02 EST 2011 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Proxy ACK

On 1/11/2011 2:36 AM, Carol Overes wrote:
> ----------- nsp-security Confidential --------
> 
> All,
> 
> The following URL hosts a Rimecud/Yimfoca binary:
> 
> hxxp://mochachino1.com/profile.php?=
> 
> AS      | IP               | BGP Prefix          | CC | Registry |
> Allocated  | AS Name
> 36351   | 208.43.112.232   | 208.43.64.0/18      | US | arin     |
> 2008-04-22 | SOFTLAYER - SoftLayer Technologies Inc.
> 
> The hosted binary changes frequently. Latest seen MD5:
> 
> 7b1493a88e78b5c8632a23d2f8025820
> bfcdeb23449e8532d5f88a8d28c0ee33
> 36e3c796455a269d5e9146635e85a530
> 926fc9cf4e1c4a4fa5208faa0552a04b
> f5962ec74b0cc66fa96c5042d39eaeda
> 
> Detection rate for f5962ec74b0cc66fa96c5042d39eaeda (represents
> detection rate of the other MD5's):
> http://www.virustotal.com/file-scan/report.html?id=55153fdcfc679c02e7579
> f82ebf262b9c0d55b78f9e2b84bd829d3677b1a1d48-1294654865
> 
> The malware is spread via instant messengers.
> 
> Kind regards,
> 
> 
> 
> 
> 
>  
> Carol Overes
> Incident Handling and Threat Analyst
> Technology
> 
> Emirates Integrated Telecommunications Company, PJSC
> P.O. Box 502666, Dubai, U.A.E.
> 
> Mobile +971558486469
> 
> http://www.du.ae/
> 
> This email and any attachments contain confidential information. You must not read, print, copy, store, or otherwise use them unless you are the intended recipient. If you have received them in error, please delete them and contact du.
> Without exception, du does not enter into any agreement through email communications and nothing in this email shall be construed or interpreted as binding du or creating any obligation (whether financial or otherwise) for du.
> You should check attachments for viruses before opening. Please note that email communications may be monitored in accordance with the laws of the United Arab Emirates.
> 
> Authorized, issued and fully paid up share capital of AED 4,571,428,571
> Commercial License No.576513; Commercial Registration No. 77967
> 
> 
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
> 


- -- 
Nicholas Ianelli: Neustar, Inc.
Security Operations

46000 Center Oak Plaza Sterling, VA 20166
+1 571.434.4691 - http://www.neustar.biz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)

iEYEARECAAYFAk0s28oACgkQi10dJIBjZIAUGgCgzyz08hRSfctnEbUqMeOFQFkN
pv8AoOKxo0PTteOSYS6+xhGYrjc8rxOC
=WaiV
-----END PGP SIGNATURE-----

More information about the nsp-security mailing list