NEWS FROM THE LAB - Wednesday, February 6, 2008

Spotted in the Wild: Rogue Microsoft Update Site Posted by Mikko @ 12:37 GMT

Watch out for this one. It's not the real Microsoft Update site.


Note the real URL (cfm48.com) and the spelling errors ("Please intall").

If you click the Urgent Install button, you'll get a file called WindowsUpdateAgent30-x86-x64.exe, which is not signed by Microsoft. (i.e. Click the button — Download a Trojan-Dropper.)

This is a fast flux site and uses a wide range of IP addresses:

The dropper is now detected as Trojan-Dropper:W32/Agent.DYD, and the dropped malware was already detected as
Backdoor:W32/Agent.CVU; this is functionally the same as the earlier Backdoor:W32/Agent.CTH.