This is the page loaded from asvoo.org/antivir/ in popup windows from the faux-CNN landing page from our friends at the botnet starting on August 11. It does its best to look as though it's loading an antivirus, while actually loading a Trojan executable.

The link was replaced with i56web.org/antivir/ (same registrant, same IP) in landing pages spammed from August 13th on. Both were replaced by a slightly different page hosted elsewhere on August 17 (the IP now returns 500 to all requests).

As always, the full content of the page is archived here.

I don't actually have a lot to say about this yet. The Javascript is relatively uninteresting, although there is, actually, a little obfuscation, and I'll run that down at some point; my main focus this evening was to archive this before it goes away, because I am positive we'll be seeing more of it later.

I did also load the three external Javascript files referenced; the third defines an array of 1046 likely-looking filenames to pretend to scan. The other two are probably stock Javascript (one is a progress bar, the other ... dunno yet).

There are a lot of GIFs referenced here to make things look pretty for the stupid human, but I'm not saving those.