CastleCops MIRT Reports

MIRT Reports :: [MIRT#4648] Trojan on wmvmedialease.com AS25525

tetak — Mon, 30 Jun 2008 16:01:40 -0500

Author: tetak
Subject: [MIRT#4648] Trojan on wmvmedialease.com AS25525
Posted: Mon Jun 30, 2008 9:01 pm (GMT 0)

Malware Alert

Full Report: http://www.castlecops.com/Trojan_malware4648.html

Changed status to confirmed malware.IP Converted: 85.92.138.151

dword = 1432128151
hex1 = 0x555c8a97
hex2 = 0x55.0x5c.0x8a.0x97
oct = 0125.0134.0212.0227
codec.exe at this location is malware known as Trojan:Win32/Vundo.gen!D (Microsoft).View CIDR AS25525 Report: http://www.cidr-report.org/cgi-bin/as-report?as=25525

"25525 | NL | ripencc | 2002-12-23 | REASONNET Reasonnet IP Networks - Autonomous System Number" 
Extended information for AS25525:
State/Province:
Country: nl
Responsible Domain: reasonnet.com
Abuse Email: abuse@reasonnet.com

Quote:

http://wmvmedialease.com/codec.php?aid=cj_11_2&v=v7&e=1

MIRT Reports :: [MIRT#4647] Trojan on 205.177.122.104 AS3491

tetak — Mon, 30 Jun 2008 15:58:50 -0500

Author: tetak
Subject: [MIRT#4647] Trojan on 205.177.122.104 AS3491
Posted: Mon Jun 30, 2008 8:58 pm (GMT 0)

Malware Alert

Full Report: http://www.castlecops.com/Trojan_malware4647.html

Changed status to confirmed malware.IP Converted: 205.177.122.104

dword = 3450960488
hex1 = 0xcdb17a68
hex2 = 0xcd.0xb1.0x7a.0x68
oct = 0315.0261.0172.0150
vZZnu2VLvD.exe at this location is malware known as Trojan:Win32/Busky.D (Microsoft).View CIDR AS3491 Report: http://www.cidr-report.org/cgi-bin/as-report?as=3491

"3491 | US | arin | 1994-03-21 | BTN-ASN - Beyond The Network America, Inc." 
Extended information for AS3491:
State/Province: va
Country: us
Responsible Domain: btnaccess.com
Abuse Email: jray@btnaccess.com

Quote:

http://205.177.122.104/PE/vZZnu2VLvD.exe

MIRT Reports :: [MIRT#4635] Trojan-Downloader on 209.120.242.82 AS6517

tetak — Mon, 30 Jun 2008 15:38:21 -0500

Author: tetak
Subject: [MIRT#4635] Trojan-Downloader on 209.120.242.82 AS6517
Posted: Mon Jun 30, 2008 8:38 pm (GMT 0)

Malware Alert

Full Report: http://www.castlecops.com/Trojan_Downloader_malware4635.html

Changed status to confirmed malware.IP Converted: 209.120.242.82

dword = 3514364498
hex1 = 0xd178f252
hex2 = 0xd1.0x78.0xf2.0x52
oct = 0321.0170.0362.0122
claro.exe at this location is malware known as TrojanDownloader:Win32/Banload (Microsoft).View CIDR AS6517 Report: http://www.cidr-report.org/cgi-bin/as-report?as=6517

"6517 | US | arin | 2000-04-13 | RELIANCEGLOBALCOM - Reliance Globalcom Services, Inc" 
Extended information for AS6517:
State/Province: ca
Country: us
Responsible Domain: yipes.com
Abuse Email: abuse@yipes.com

Quote:

http://209.120.242.82/index2.php?cod=claro

MIRT Reports :: [MIRT#4549] Trojan-Downloader on liveupdatesnet.com AS36445

tetak — Mon, 30 Jun 2008 15:12:48 -0500

Author: tetak
Subject: [MIRT#4549] Trojan-Downloader on liveupdatesnet.com AS36445
Posted: Mon Jun 30, 2008 8:12 pm (GMT 0)

Malware Alert

Full Report: http://www.castlecops.com/Trojan_Downloader_malware4549.html

Changed status to confirmed malware.IP Converted: 85.255.121.117

dword = 1442806133
hex1 = 0x55ff7975
hex2 = 0x55.0xff.0x79.0x75
oct = 0125.0377.0171.0165
loader.exe at this location is malware known as TrojanDownloader:Win32/VB (Microsoft).View CIDR AS36445 Report: http://www.cidr-report.org/cgi-bin/as-report?as=36445

"36445 | US | arin | 2006-01-05 | CERNEL-ASN - Cernel, Inc" 
Extended information for AS36445:
State/Province: ca
Country: us
Responsible Domain: cernel.net
Abuse Email: abuse@cernel.net

Quote:

http://liveupdatesnet.com/501/loader.exe

MIRT Reports :: [MIRT#4516] Exploit on search-biz.org AS27595

tetak — Mon, 30 Jun 2008 14:56:29 -0500

Author: tetak
Subject: [MIRT#4516] Exploit on search-biz.org AS27595
Posted: Mon Jun 30, 2008 7:56 pm (GMT 0)

Malware Alert

Full Report: http://www.castlecops.com/Exploit_malware4516.html

Changed status to confirmed malware.IP Converted: 85.255.117.213

dword = 1442805205
hex1 = 0x55ff75d5
hex2 = 0x55.0xff.0x75.0xd5
oct = 0125.0377.0165.0325
2.ani at this location is malware known as Exploit:Win32/Anicmoo.A (Microsoft).View CIDR AS27595 Report: http://www.cidr-report.org/cgi-bin/as-report?as=27595

"27595 | US | arin | 2003-04-07 | INTERCAGE - InterCage, Inc." 
Extended information for AS27595:
State/Province: ca
Country: us
Responsible Domain: atrivo.com
Abuse Email: abuse@atrivo.com

Quote:

http://search-biz.org/2.ani

MIRT Reports :: [MIRT#4515] Exploit on search-buy.info AS27595

tetak — Mon, 30 Jun 2008 14:48:29 -0500

Author: tetak
Subject: [MIRT#4515] Exploit on search-buy.info AS27595
Posted: Mon Jun 30, 2008 7:48 pm (GMT 0)

Malware Alert

Full Report: http://www.castlecops.com/Exploit_malware4515.html

Changed status to confirmed malware.IP Converted: 85.255.117.213

dword = 1442805205
hex1 = 0x55ff75d5
hex2 = 0x55.0xff.0x75.0xd5
oct = 0125.0377.0165.0325
cyber.wmf at this location is malware known as Exploit:Win32/Wmfap (Microsoft).View CIDR AS27595 Report: http://www.cidr-report.org/cgi-bin/as-report?as=27595

"27595 | US | arin | 2003-04-07 | INTERCAGE - InterCage, Inc." 
Extended information for AS27595:
State/Province: ca
Country: us
Responsible Domain: atrivo.com
Abuse Email: abuse@atrivo.com

Quote:

http://search-buy.info/cyber.wmf

MIRT Reports :: [MIRT#2810] Program on errorsafe.com AS16265

tetak — Sun, 29 Jun 2008 09:11:54 -0500

Author: tetak
Subject: [MIRT#2810] Program on errorsafe.com AS16265
Posted: Sun Jun 29, 2008 2:11 pm (GMT 0)

Malware Alert

Full Report: http://www.castlecops.com/Program_malware2810.html

Changed status to confirmed malware.IP Converted: 85.17.4.103

dword = 1427178599
hex1 = 0x55110467
hex2 = 0x55.0x11.0x4.0x67
oct = 0125.021.04.0147
ErrorSafeNewReleaseInstall.exe at this location is malware known as Program:Win32/Winfixer (Microsoft).View CIDR AS16265 Report: http://www.cidr-report.org/cgi-bin/as-report?as=16265

"16265 | NL | ripencc | 2001-12-20 | LEASEWEB LEASEWEB AS" 
Extended information for AS16265:
State/Province:
Country: nl
Responsible Domain: leaseweb.com
Abuse Email:

Quote:

http://errorsafe.com/download/2007/index.php?lid=infy&ax=1&ex=1&p=2&aid=indianit_rdt_us_en_ed2

MIRT Reports :: [MIRT#2621] Program on pcturbopro.com AS16265

tetak — Sun, 29 Jun 2008 08:54:37 -0500

Author: tetak
Subject: [MIRT#2621] Program on pcturbopro.com AS16265
Posted: Sun Jun 29, 2008 1:54 pm (GMT 0)

Malware Alert

Full Report: http://www.castlecops.com/Program_malware2621.html

Changed status to confirmed malware.IP Converted: 85.17.4.103

dword = 1427178599
hex1 = 0x55110467
hex2 = 0x55.0x11.0x4.0x67
oct = 0125.021.04.0147
PCTurboProInstallerFree.exe at this location is malware known as Program:Win32/Winfixer (Microsoft).View CIDR AS16265 Report: http://www.cidr-report.org/cgi-bin/as-report?as=16265

"16265 | NL | ripencc | 2001-12-20 | LEASEWEB LEASEWEB AS" 
Extended information for AS16265:
State/Province:
Country: nl
Responsible Domain: leaseweb.com
Abuse Email:

Quote:

http://pcturbopro.com/.download_now/index.php?lid=728mpl&ax=1&ex=1&p=13&hv=10&j=1&aid=drivehas_rdt_us_en_ed2

MIRT Reports :: [MIRT#2581] Trojan-Downloader on files.seriall.com AS8492

tetak — Sun, 29 Jun 2008 08:38:48 -0500

Author: tetak
Subject: [MIRT#2581] Trojan-Downloader on files.seriall.com AS8492
Posted: Sun Jun 29, 2008 1:38 pm (GMT 0)

Malware Alert

Full Report: http://www.castlecops.com/Trojan_Downloader_malware2581.html

Changed status to confirmed malware.IP Converted: 85.114.8.70

dword = 1433536582
hex1 = 0x55720846
hex2 = 0x55.0x72.0x8.0x46
oct = 0125.0162.010.0106
nero_key.exe at this location is malware known as TrojanDownloader:Win32/Matcash.F (Microsoft).View CIDR AS8492 Report: http://www.cidr-report.org/cgi-bin/as-report?as=8492

"8492 | RU | ripencc | 2005-02-17 | OBIT-AS Obit Telecommunications, St.Petersburg, Russia" 
Extended information for AS8492:
State/Province:
Country: fr
Responsible Domain: siris.fr
Abuse Email: postmaster@siris.fr

Quote:

http://files.seriall.com/seriall/nero_key.exe

MIRT Reports :: [MIRT#2548] Trojan-Downloader on ddm.tisnov.cz AS24971

tetak — Sun, 29 Jun 2008 08:30:23 -0500

Author: tetak
Subject: [MIRT#2548] Trojan-Downloader on ddm.tisnov.cz AS24971
Posted: Sun Jun 29, 2008 1:30 pm (GMT 0)

Malware Alert

Full Report: http://www.castlecops.com/Trojan_Downloader_malware2548.html

Consumed following related reports:

[2555] http://ddm.tisnov.cz/obrazky/terra/musicadedicada.scr
Changed status to confirmed malware.IP Converted: 89.185.240.15

dword = 1505357839
hex1 = 0x59b9f00f
hex2 = 0x59.0xb9.0xf0.0xf
oct = 0131.0271.0360.017
cartao632471.scr at this location is malware known as TrojanDownloader:Win32/Small (Microsoft).musicadedicada.scr at this location is malware known as TrojanDownloader:Win32/Small (Microsoft).View CIDR AS24971 Report: http://www.cidr-report.org/cgi-bin/as-report?as=24971

"24971 | CZ | ripencc | 2002-06-11 | MASTER-AS Master Internet s.r.o / Czech Republic / www.master.cz" 
Extended information for AS24971:
State/Province:
Country: cz
Responsible Domain: master.cz
Abuse Email: postmaster@master.cz

Quote:

http://ddm.tisnov.cz/obrazky/uol/cartao632471.scr

MIRT Reports :: [MIRT#2526] Trojan-Downloader on globobb7.smtp.ru AS6731

tetak — Sun, 29 Jun 2008 08:09:26 -0500

Author: tetak
Subject: [MIRT#2526] Trojan-Downloader on globobb7.smtp.ru AS6731
Posted: Sun Jun 29, 2008 1:09 pm (GMT 0)

Malware Alert

Full Report: http://www.castlecops.com/Trojan_Downloader_malware2526.html

Changed status to confirmed malware.IP Converted: 82.204.219.231

dword = 1389157351
hex1 = 0x52ccdbe7
hex2 = 0x52.0xcc.0xdb.0xe7
oct = 0122.0314.0333.0347
carolbb7.exe at this location is malware known as TrojanDownloader:Win32/Banload.DE (Microsoft).View CIDR AS6731 Report: http://www.cidr-report.org/cgi-bin/as-report?as=6731

"6731 | RU | ripencc | 1996-07-30 | COMSTAR-AS COMSTAR Telecommunications" 
Extended information for AS6731:
State/Province:
Country: ru
Responsible Domain: comstar.ru
Abuse Email: abuse@comstar.ru

Quote:

http://globobb7.smtp.ru/carolbb7.exe

MIRT Reports :: [MIRT#2312] Trojan-Spy on oya.ru AS30943

tetak — Sat, 28 Jun 2008 20:35:59 -0500

Author: tetak
Subject: [MIRT#2312] Trojan-Spy on oya.ru AS30943
Posted: Sun Jun 29, 2008 1:35 am (GMT 0)

Malware Alert

Full Report: http://www.castlecops.com/Trojan_Spy_malware2312.html

Changed status to confirmed malware.IP Converted: 217.112.42.39

dword = 3648006695
hex1 = 0xd9702a27
hex2 = 0xd9.0x70.0x2a.0x27
oct = 0331.0160.052.047
update.exe at this location is malware known as TrojanSpy:Win32/Goldun (Microsoft).View CIDR AS30943 Report: http://www.cidr-report.org/cgi-bin/as-report?as=30943

"30943 | GB | ripencc | 2004-01-23 | UTRANSIT-AS Utransit International Carrier Limited" 
Extended information for AS30943:
State/Province:
Country:
Responsible Domain: utransit.net
Abuse Email: abuse@utransit.net
Generated and sent email malware alert to respective parties.

Quote:

http://oya.ru/vyhod/numizmat/ima/get.php?file=exe

MIRT Reports :: [MIRT#1943] Exploit on planetanim.com AS21409

tetak — Sat, 28 Jun 2008 19:33:52 -0500

Author: tetak
Subject: [MIRT#1943] Exploit on planetanim.com AS21409
Posted: Sun Jun 29, 2008 12:33 am (GMT 0)

Malware Alert

Full Report: http://www.castlecops.com/Exploit_malware1943.html

Changed status to confirmed malware.IP Converted: 213.246.37.148

dword = 3589678484
hex1 = 0xd5f62594
hex2 = 0xd5.0xf6.0x25.0x94
oct = 0325.0366.045.0224
stats-global-daily-hosts.htm at this location is malware known as Exploit:JS/MS06014 (Microsoft).View CIDR AS21409 Report: http://www.cidr-report.org/cgi-bin/as-report?as=21409

"21409 | FR | ripencc | 2001-11-30 | IKOULA IKOULA European Backbone AS" 
Extended information for AS21409:
State/Province:
Country:
Responsible Domain: ikoula.com
Abuse Email: ikoula@ikoula.com

Quote:

http://www.planetanim.com/Openads-2.0.11/admin/stats-global-daily-hosts.htm

MIRT Reports :: [MIRT#12316] Trojan-Downloader on freewebtown.com AS36820

tetak — Sat, 28 Jun 2008 19:08:37 -0500

Author: tetak
Subject: [MIRT#12316] Trojan-Downloader on freewebtown.com AS36820
Posted: Sun Jun 29, 2008 12:08 am (GMT 0)

Malware Alert

Full Report: http://www.castlecops.com/Trojan_Downloader_malware12316.html

Changed status to confirmed malware.IP Converted: 208.75.230.43

dword = 3494635051
hex1 = 0xd04be62b
hex2 = 0xd0.0x4b.0xe6.0x2b
oct = 0320.0113.0346.053
alteracao.com at this location is malware known as Trojan-Downloader.Win32.Banload.pqm (Kaspersky).View CIDR AS36820 Report: http://www.cidr-report.org/cgi-bin/as-report?as=36820

"36820 | US | arin | 2006-05-05 | TULIP-SYSTEMS-INC-HOSTING-55-MARIETTA-ATLANTA - TULIP SYSTEMS, INC." 
Extended information for AS36820:
State/Province: ga
Country: us
Responsible Domain: tulix.com
Abuse Email: kacer@tulix.com

Quote:

http://www.freewebtown.com/alteradasenha/hotmail/alteracao.com

MIRT Reports :: [MIRT#1411] Program on winsoftware.com AS22822

tetak — Sat, 28 Jun 2008 18:19:35 -0500

Author: tetak
Subject: [MIRT#1411] Program on winsoftware.com AS22822
Posted: Sat Jun 28, 2008 11:19 pm (GMT 0)

Malware Alert

Full Report: http://www.castlecops.com/Program_malware1411.html

Changed status to confirmed malware.IP Converted: 208.111.153.244

dword = 3496974836
hex1 = 0xd06f99f4
hex2 = 0xd0.0x6f.0x99.0xf4
oct = 0320.0157.0231.0364
WinAntiVirusPro2007Install.exe at this location is malware known as Program:Win32/Winfixer (Microsoft).View CIDR AS22822 Report: http://www.cidr-report.org/cgi-bin/as-report?as=22822

"22822 | US | arin | 2001-11-28 | LLNW - Limelight Networks, Inc." 
Extended information for AS22822:
State/Province: az
Country: us
Responsible Domain: limelightnetworks.com
Abuse Email: abuse@limelightnetworks.com

Quote:

http://download.cdn.winsoftware.com/files/installers/WinAntiVirusPro2007Install.exe

MIRT Reports :: [MIRT#14098] Trojan-Dropper on franjerplast.it AS44029

tetak — Sat, 28 Jun 2008 16:52:40 -0500

Author: tetak
Subject: [MIRT#14098] Trojan-Dropper on franjerplast.it AS44029
Posted: Sat Jun 28, 2008 9:52 pm (GMT 0)

Malware Alert

Full Report: http://www.castlecops.com/Trojan_Dropper_malware14098.html

Consumed following related reports:

[14168] http://www.franjerplast.it/r.html
Changed status to confirmed malware.IP Converted: 80.88.81.40

dword = 1347965224
hex1 = 0x50585128
hex2 = 0x50.0x58.0x51.0x28
oct = 0120.0130.0121.050
video1.exe at this location is malware known as TrojanDropper:Win32/Nuwar.gen!ldt (Microsoft).View CIDR AS44029 Report: http://www.cidr-report.org/cgi-bin/as-report?as=44029

"44029 | IT | ripencc | 2007-11-07 | WIDESTORE-ASN Widestore S.R.L." 
Extended information for AS44029:
State/Province:
Country:
Responsible Domain:
Abuse Email:

Quote:

http://www.franjerplast.it/video1.exe

MIRT Reports :: [MIRT#14094] Trojan-Dropper on dimagine.co.za AS21844

tetak — Sat, 28 Jun 2008 16:48:44 -0500

Author: tetak
Subject: [MIRT#14094] Trojan-Dropper on dimagine.co.za AS21844
Posted: Sat Jun 28, 2008 9:48 pm (GMT 0)

Malware Alert

Full Report: http://www.castlecops.com/Trojan_Dropper_malware14094.html

Changed status to confirmed malware.IP Converted: 67.18.107.21

dword = 1125280533
hex1 = 0x43126b15
hex2 = 0x43.0x12.0x6b.0x15
oct = 0103.022.0153.025
install_en.exe at this location is malware known as TrojanDropper:Win32/Nuwar.gen!ldt (Microsoft).View CIDR AS21844 Report: http://www.cidr-report.org/cgi-bin/as-report?as=21844

"21844 | US | arin | 2001-06-29 | THEPLANET-AS - ThePlanet.com Internet Services, Inc." 
Extended information for AS21844:
State/Province: tx
Country: us
Responsible Domain: theplanet.com
Abuse Email: abuse@theplanet.com

Quote:

http://dimagine.co.za/2009/1/install_en.exe

MIRT Reports :: [MIRT#13741] Trojan-Dropper on rine-exe.de AS39023

tetak — Sat, 28 Jun 2008 16:46:10 -0500

Author: tetak
Subject: [MIRT#13741] Trojan-Dropper on rine-exe.de AS39023
Posted: Sat Jun 28, 2008 9:46 pm (GMT 0)

Malware Alert

Full Report: http://www.castlecops.com/Trojan_Dropper_malware13741.html

Consumed following related reports:

[13744] http://www.rine-exe.de/video.exe
[13784] http://www.rine-exe.de/r.html
Changed status to confirmed malware.IP Converted: 195.225.106.94

dword = 3286329950
hex1 = 0xc3e16a5e
hex2 = 0xc3.0xe1.0x6a.0x5e
oct = 0303.0341.0152.0136
video1.exe at this location is malware known as TrojanDropper:Win32/Nuwar.gen!ldt (Microsoft).View CIDR AS39023 Report: http://www.cidr-report.org/cgi-bin/as-report?as=39023

"39023 | DE | ripencc | 2005-11-30 | IU-AS InternetUniversum GmbH" 
Extended information for AS39023:
State/Province:
Country: de
Responsible Domain: internetuniversum.de
Abuse Email: hostmaster@internetuniversum.de

Quote:

http://www.rine-exe.de/video1.exe

MIRT Reports :: [MIRT#13969] Trojan-Downloader on ivipvideos.pisem.su AS6731

tetak — Sat, 28 Jun 2008 16:29:33 -0500

Author: tetak
Subject: [MIRT#13969] Trojan-Downloader on ivipvideos.pisem.su AS6731
Posted: Sat Jun 28, 2008 9:29 pm (GMT 0)

Malware Alert

Full Report: http://www.castlecops.com/Trojan_Downloader_malware13969.html

Changed status to confirmed malware.IP Converted: 82.204.219.235

dword = 1389157355
hex1 = 0x52ccdbeb
hex2 = 0x52.0xcc.0xdb.0xeb
oct = 0122.0314.0333.0353
videos_237.com at this location is malware known as Trojan-Downloader.Win32.Delf.jkz (Kaspersky).View CIDR AS6731 Report: http://www.cidr-report.org/cgi-bin/as-report?as=6731

"6731 | RU | ripencc | 1996-07-30 | COMSTAR-AS COMSTAR Telecommunications" 
Extended information for AS6731:
State/Province:
Country: ru
Responsible Domain: comstar.ru
Abuse Email: abuse@comstar.ru

Quote:

http://ivipvideos.pisem.su/videos_237.com

MIRT Reports :: [MIRT#13815] Trojan on mailer1.key-one.it AS3242

tetak — Sat, 28 Jun 2008 16:25:10 -0500

Author: tetak
Subject: [MIRT#13815] Trojan on mailer1.key-one.it AS3242
Posted: Sat Jun 28, 2008 9:25 pm (GMT 0)

Malware Alert

Full Report: http://www.castlecops.com/Trojan_malware13815.html

Consumed following related reports:

[14077] http://mailer1.key-one.it/gif/postcard.gif.exe
Changed status to confirmed malware.IP Converted: 151.1.216.26

dword = 2533480474
hex1 = 0x9701d81a
hex2 = 0x97.0x1.0xd8.0x1a
oct = 0227.01.0330.032
postcard.gif.exe at this location is malware known as Trojan:IRC/Flood.BF (Microsoft).View CIDR AS3242 Report: http://www.cidr-report.org/cgi-bin/as-report?as=3242

"3242 | EU | ripencc | 1994-07-28 | ASN-ITNET" 
Extended information for AS3242:
State/Province:
Country:
Responsible Domain: it.net
Abuse Email: security@it.net

Quote:

http://mailer1.key-one.it/postcard.gif.exe

MIRT Reports :: [MIRT#13807] Trojan-Dropper on max-graf.com.pl AS12741

tetak — Sat, 28 Jun 2008 16:22:13 -0500

Author: tetak
Subject: [MIRT#13807] Trojan-Dropper on max-graf.com.pl AS12741
Posted: Sat Jun 28, 2008 9:22 pm (GMT 0)

Malware Alert

Full Report: http://www.castlecops.com/Trojan_Dropper_malware13807.html

Consumed following related reports:

[13849] http://max-graf.com.pl/video1.exe
[13982] http://max-graf.com.pl/r.html
Changed status to confirmed malware.IP Converted: 81.219.17.6

dword = 1373311238
hex1 = 0x51db1106
hex2 = 0x51.0xdb.0x11.0x6
oct = 0121.0333.021.06
video.exe at this location is malware known as TrojanDropper:Win32/Nuwar.gen!ldt (Microsoft).View CIDR AS12741 Report: http://www.cidr-report.org/cgi-bin/as-report?as=12741

"12741 | PL | ripencc | 1999-10-21 | INTERNETIA-AS Netia SA" 
Extended information for AS12741:
State/Province:
Country: pl
Responsible Domain: inetia.pl
Abuse Email: abuse@inetia.pl

Quote:

http://max-graf.com.pl/video.exe

MIRT Reports :: [MIRT#13796] Trojan-Dropper on dj-samy.fr AS35830

tetak — Sat, 28 Jun 2008 16:18:16 -0500

Author: tetak
Subject: [MIRT#13796] Trojan-Dropper on dj-samy.fr AS35830
Posted: Sat Jun 28, 2008 9:18 pm (GMT 0)

Malware Alert

Full Report: http://www.castlecops.com/Trojan_Dropper_malware13796.html

Consumed following related reports:

[13808] http://dj-samy.fr/video.exe
Changed status to confirmed malware.IP Converted: 193.37.145.41

dword = 3240464681
hex1 = 0xc1259129
hex2 = 0xc1.0x25.0x91.0x29
oct = 0301.045.0221.051
video1.exe at this location is malware known as TrojanDropper:Win32/Nuwar.gen!ldt (Microsoft).video.exe at this location is malware known as TrojanDropper:Win32/Nuwar.gen!ldt (Microsoft).View CIDR AS35830 Report: http://www.cidr-report.org/cgi-bin/as-report?as=35830

"35830 | FR | ripencc | 2005-11-09 | SIVIT-AS SIVIT Network - http://www.sivit.net/" 
Extended information for AS35830:
State/Province:
Country: fr
Responsible Domain: sivit.fr
Abuse Email: gregory@sivit.fr

Quote:

http://dj-samy.fr/video1.exe

MIRT Reports :: [MIRT#13786] Trojan on IceMan.ro AS30976

tetak — Sat, 28 Jun 2008 16:11:22 -0500

Author: tetak
Subject: [MIRT#13786] Trojan on IceMan.ro AS30976
Posted: Sat Jun 28, 2008 9:11 pm (GMT 0)

Malware Alert

Full Report: http://www.castlecops.com/Trojan_malware13786.html

Changed status to confirmed malware.IP Converted: 85.204.4.215

dword = 1439433943
hex1 = 0x55cc04d7
hex2 = 0x55.0xcc.0x4.0xd7
oct = 0125.0314.04.0327
hallmark.gif.exe at this location is malware known as Trojan:Win32/Zapchast (Microsoft).View CIDR AS30976 Report: http://www.cidr-report.org/cgi-bin/as-report?as=30976

"30976 | RO | ripencc | 2004-02-02 | IT4WEB IT4WEB S.R.L." 
Extended information for AS30976:
State/Province:
Country: ro
Responsible Domain: it4web.ro
Abuse Email: zozo@it4web.ro

Quote:

http://IceMan.ro/hallmark.gif.exe

MIRT Reports :: [MIRT#14144] Trojan-Dropper on energical.com AS16276

tetak — Sat, 28 Jun 2008 08:40:23 -0500

Author: tetak
Subject: [MIRT#14144] Trojan-Dropper on energical.com AS16276
Posted: Sat Jun 28, 2008 1:40 pm (GMT 0)

Malware Alert

Full Report: http://www.castlecops.com/Trojan_Dropper_malware14144.html

Consumed following related reports:

[14163] http://energical.com/video.exe
Changed status to confirmed malware.IP Converted: 91.121.105.199

dword = 1534683591
hex1 = 0x5b7969c7
hex2 = 0x5b.0x79.0x69.0xc7
oct = 0133.0171.0151.0307
video1.exe at this location is malware known as TrojanDropper:Win32/Nuwar.gen!ldt (Microsoft).View CIDR AS16276 Report: http://www.cidr-report.org/cgi-bin/as-report?as=16276

"16276 | FR | ripencc | 2001-02-15 | OVH OVH" 
Extended information for AS16276:
State/Province:
Country:
Responsible Domain: ovh.net
Abuse Email: abuse@ovh.net
Generated and sent email malware alert to respective parties.

Quote:

http://energical.com/video1.exe

MIRT Reports :: [MIRT#13677] Trojan on personales.ya.com AS20838

tetak — Sat, 28 Jun 2008 08:08:42 -0500

Author: tetak
Subject: [MIRT#13677] Trojan on personales.ya.com AS20838
Posted: Sat Jun 28, 2008 1:08 pm (GMT 0)

Malware Alert

Full Report: http://www.castlecops.com/Trojan_malware13677.html

Changed status to confirmed malware.IP Converted: 62.151.4.22

dword = 1050084374
hex1 = 0x3e970416
hex2 = 0x3e.0x97.0x4.0x16
oct = 076.0227.04.026
greeting.gif.exe at this location is malware known as Trojan:Win32/Zapchast (Microsoft).View CIDR AS20838 Report: http://www.cidr-report.org/cgi-bin/as-report?as=20838

"20838 | ES | ripencc | 2001-06-12 | YIF-AS YIF Autonomous System" 
Extended information for AS20838:
State/Province:
Country: es
Responsible Domain: corp.ya.com
Abuse Email: postmaster@ya.com

Quote:

http://personales.ya.com/q1w2/greeting.gif.exe