NEWS FROM THE LAB - Wednesday, November 8, 2006

Case Wikipedia Posted by Mikko @ 12:01 GMT

Two days ago, the German version of Wikipedia was targeted in an attack where the encyclopedia entry for the Blaster worm was modified to include download links for a fake patch. If you followed the links and installed the patch, you got hit with a trojan instead.

The official Wikipedia pages (and archives) were cleaned quickly. But now some clown is mailing around German language e-mails with the following content:


If you follow the links in the e-mail, you'll end up on a Wikipedia lookalike page at "wikipedia-download.org" which is actually running on a server named "h4serv.webhostingoutsourcing.com".

The page has several download links for patches (although they all download the same file):


Interestingly, the download (which we block as Trojan-Dropper.Win32.Small.atq) actually installs the original patch from Microsoft - and then drops a trojan. Nice.

The rogue domain "wikipedia-download.org" has nothing to do with real Wikipedia. However, it has been registered with exactly the same registration information as the real wikipedia.org domain.


While the real Wikipedia is registered to St. Petersburg, Florida in the USA, the IP Address of the fake site is located in St. Petersburg, Russia.