anysandra.com URL serving drive-by

[dobedobedew]

Hello,

I found this site by using a google search for narkyl.com which turned out to be listed as hosting zeus/wsnpoem v2.  I found the narkyl.com access in my proxy log coming from one pc in the building.  After doing some digging I found the site where the PC actually received the payload.  It is currently not in the full list.

The URL is "hxxp://anysandra.com/suspended/error.php?i=5".  anysandra.com resolves to 172.201.96.128, reverse dns is p3nlhg48c089.shr.prod.phx3.secureserver.net.

It appears to be currently hosting Virus.Win32.VBInject AKA Trojan.Dropper.Gen which is different than the payload the PC initially received.

Thanks for this wonderful resource.

(EDIT)

Sorry I forgot the virustotal link.

VT 8/42
http://www.virustotal.com/analisis/2f9ee15aa8c4b240f52392084be5fbd45234e938d8715a05a2c18207b4ea945f-1268423786

[SysAdMini]

Thanks for submission and welcome to MDL.

I have checked the url, but I don't see a redirection .

[dobedobedew]

My apologies if I am not using the correct terminology here.
When I used that URL in IE6 on XP it installed the payload. 
Also, using wget in linux with that url resulted in a download of type application/octet-stream.  This is what was sent to virustotal.
I'm sorry if I did not explain properly.

[SysAdMini]

The url

Code: [Select]

anysandra.com/suspended/error.php?i=5
loops to itself here.