http://www.pcmag.com/article2/0,2817,2256892,00.aspF-Secure has identified a fairly convincing fake Microsoft Update site.
The site has the superficial look of Microsoft Update, but has one prominent button and a message urging the user to "Get critical update (obligatory)". Another message says "URGENT: Please intall critical Windows XP/2000/2003/Vista update!" Note the misspelled "intall".
The real domain of the site is cfm48.com which is still up, but no longer serving this page. The domain is registered to an individual in California. There is no indication that he is involved or if the site was compromised, but F-Secure says the site is in a "fast flux network," meaning that the IP address for the domain changes rapidly. The DNS administration of the site would have to be completely compromised.
Click on the button, according to F-Secure, and you get a file named WindowsUpdateAgent30-x86-x64.exe. This is a "dropper," identified by F-Secure as Trojan-Dropper:W32/Agent.DYD, which then drops the real malware, identified as Backdoor:W32/Agent.CVU.
