[nsp-sec] windows-update.lensworks.org - AS29671

[Brian Allen]

All-

I came across a phish which tries to infect machines with the following
Trojan.  This got my attention because we use Ironport as our main
campus mailserver and they are usually very good at identifying spam and
stopping malware.  This phish didn't get labeled so I investigated it.
The subject was "Windows Update Critical Security Update for Microsoft
Windows (KB946026)".

hxxp://windows-update lensworks org/cache/WINDOWS-KB946026-X86-ENU.exe

AS      | IP               | AS Name
29671   | 77.232.68.88     | SERVAGE Servage GmbH

One of the executables in this RAR is wupdmgr.exe which was identified
by only 9 AV companies:

Antivirus       Version         Last Update     Result
AhnLab-V3       2008.6.24.0     2008.06.23      Win-Trojan/3proxy.23552
AntiVir 7.8.0.59        2008.06.23      SPR/Dubrovin.A
F-Secure        7.60.13501.0    2008.06.20
Server-Proxy.Win32.3proxy.h
Fortinet        3.14.0.0        2008.06.23      Misc/3proxy
Ikarus  T3.1.1.26.0     2008.06.23
not-a-virus:Server-Proxy.Win32.3proxy.h
Kaspersky       7.0.0.125       2008.06.23
not-a-virus:Server-Proxy.Win32.3proxy.h
Panda   9.0.0.4 2008.06.23      Suspicious file
Rising  20.50.02.00     2008.06.23      Trojan.Proxy.Win32.Agent.baj
Webwasher-Gateway       6.6.2   2008.06.23      Riskware.Dubrovin.A

The phish email came from:

Received: from ssh45.edu.ro (HELO licee.edu.ro) ([193.231.32.45])

AS      | IP               | AS Name
2614    | 193.231.32.45    | ROEDUNET Romanian Education Network

What kind of Romanian Education Network are they talking about?  Maybe
we should get them in REN-ISAC? ;-)

The link is still active when I wrote this.  Let me know if you want a
copy.

Thanks,
Brian Allen
Network Security Analyst
Washington University