[nsp-sec] ACK 174 RE: windows-update.lensworks.org - AS29671

Shelton, Steve sshelton at Cogentco.com
Tue Jun 24 10:20:01 EDT 2008 

Brian,

ACK, thanks and the malware residing at AS29671 |
windows-update.lensworks.org [77.232.68.88] was removed a short while
ago.

Maybe someone a bit closer to the email source can ACK or proxy for
AS2614 | 193.231.32.45.

Steve Shelton
Network Security Engineer
Cogent Communications



-----Original Message-----
From: nsp-security-bounces at puck.nether.net
[mailto:nsp-security-bounces at puck.nether.net] On Behalf Of Brian Allen
Sent: Monday, June 23, 2008 5:07 PM
To: nsp-security at puck.nether.net
Subject: [nsp-sec] windows-update.lensworks.org - AS29671

----------- nsp-security Confidential --------

All-

I came across a phish which tries to infect machines with the following
Trojan.  This got my attention because we use Ironport as our main
campus mailserver and they are usually very good at identifying spam and
stopping malware.  This phish didn't get labeled so I investigated it.
The subject was "Windows Update Critical Security Update for Microsoft
Windows (KB946026)".

hxxp://windows-update lensworks org/cache/WINDOWS-KB946026-X86-ENU.exe

AS      | IP               | AS Name
29671   | 77.232.68.88     | SERVAGE Servage GmbH

One of the executables in this RAR is wupdmgr.exe which was identified
by only 9 AV companies:

Antivirus       Version         Last Update     Result
AhnLab-V3       2008.6.24.0     2008.06.23      Win-Trojan/3proxy.23552
AntiVir 7.8.0.59        2008.06.23      SPR/Dubrovin.A
F-Secure        7.60.13501.0    2008.06.20
Server-Proxy.Win32.3proxy.h
Fortinet        3.14.0.0        2008.06.23      Misc/3proxy
Ikarus  T3.1.1.26.0     2008.06.23
not-a-virus:Server-Proxy.Win32.3proxy.h
Kaspersky       7.0.0.125       2008.06.23
not-a-virus:Server-Proxy.Win32.3proxy.h
Panda   9.0.0.4 2008.06.23      Suspicious file
Rising  20.50.02.00     2008.06.23      Trojan.Proxy.Win32.Agent.baj
Webwasher-Gateway       6.6.2   2008.06.23      Riskware.Dubrovin.A

The phish email came from:

Received: from ssh45.edu.ro (HELO licee.edu.ro) ([193.231.32.45])

AS      | IP               | AS Name
2614    | 193.231.32.45    | ROEDUNET Romanian Education Network

What kind of Romanian Education Network are they talking about?  Maybe
we should get them in REN-ISAC? ;-)

The link is still active when I wrote this.  Let me know if you want a
copy.

Thanks,
Brian Allen
Network Security Analyst
Washington University



_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security

Please do not Forward, CC, or BCC this E-mail outside of the
nsp-security
community. Confidentiality is essential for effective Internet security
counter-measures.
_______________________________________________

More information about the nsp-security mailing list