Ronald F Guilmette, an independent security researcher, has uncovered a strong connection between the same EvaPharmacy group that infected machines in a testing lab at Redmond three years ago and at least one of the people behind the infamous Koobface worm.

EvaPharmacy is in the business of sending spam to hawk counterfeit Viagra pills.

"EvaPharmacy is, and has been for many years now, one of the largest if not THE largest spamming enterprise in the known universe, pumping out more spam, month after month, than any other single individual, group, or enterprise on the net," Guilmette said.

Spamtrackers.eu, which has been tracking EvaPharmacy for some time, associates the domain name checkoutpharamcysafe.com with EvaPharmacy. WHOIS records give the owner of checkoutpharamcysafe.com as "Andrey Polev".

A detailed analysis of clues relating to the Koobface worm by security researcher Jago Maniscalchi provides evidence that various domains alleged to have been connected to Koobface were registered under a variety of similar names: Andrei Polev, Andrej Polev or Aleksandr Polev.

"These matchups, of (a) the registrant name and also (b) the contact phone number and (c) the street address and zip code are _not_ mere coincidences, in my opinion," Guilmette concludes.

"Rather, they appear to point rather unambiguously to a link, at the very least, between the Koobface gang and the EvaPharmacy gang. Maybe Koobface *is* EvaPharmacy and vice-versa. I don't really know."