hxxp://cdpuvbhfzz.com/dl/adv598.php

this script serves obfuscated javascript that actually exploits the host and loads the malware:
hxxp://cdpuvbhfzz.com/dl/loadadv598.exe

afterwards the infected host requests
hxxp://cdpuvbhfzz.com/progs/ykrvqvmulm/dnjxbpggk.php?adv=adv598
and downloads additional binaries:
hxxp://cdpuvbhfzz.com/progs/ykrvqvmulm/xwabow.php (MS-DOS executable)
hxxp://cdpuvbhfzz.com/progs/ykrvqvmulm/mffgpddqes.php (MS-DOS executable PE)
hxxp://cdpuvbhfzz.com/progs/ykrvqvmulm/zwjabb.php (MS-DOS executable PE)
hxxp://cdpuvbhfzz.com/progs/ykrvqvmulm/pxlyzzm.php (MS-DOS executable PE)
hxxp://cdpuvbhfzz.com/progs/ykrvqvmulm/yzznabofpg.php (MS-DOS executable PE)
hxxp://cdpuvbhfzz.com/progs/ykrvqvmulm/zjtkhlyzm (MS-DOS executable PE)

finally it registers as a new bot at the same webserver assigning itself an id
hxxp://cdpuvbhfzz.com/progs/ykrvqvmulm/xuhvijanb.php?adv=adv598&code1=JPOH&code2=6353&id=1756157732&p=1
and checking back for uniqueness
hxxp://cdpuvbhfzz.com/uniq.php?id=1756157732
(response by webserver: ok)

in the meantime the following requests are attempted:
hxxp://208.72.169.54/nnn1?i=1
hxxp://208.72.169.54/nnn2?i=1
hxxp://208.72.169.54/nnn3?i=1
all answered with status code 404, not found.

now connecting to another host, propably to register
hxxp://gicia.info/cd/un2.php?id=1C89D6591737ECD&ver=nz0
getting redirected to and downloading data from:
hxxp://gicia.info/cd/cd.php?id=1C89D6591737ECD&ver=nz0 (DBase 3 data)
afterwards:
hxxp://gicia.info/cd/cd.php?id=1C89D6591737ECD&ver=nz1

yet another location is coming into game:
hxxp://contacy.info/fd/sea.php?ver=ha3
response: """"13iuuq;..cghsru/hogn.ho/bfh>2'jdx<o`jde*vnl`o*whedn*f`ld"

requesting hxxp://masgio.info/cd/cd.php?id=1-1C89D6591737ECD&ver=nz1
getting redirected to hxxp://gicia.info/cd/cd.php?id=1-1C89D6591737ECD&ver=nz1

this is where clickfraud begins (keywords: naked woman video game)
hosts involved to redirect the infected machine:
bfirst.info
medicalbillsite.info
216.195.33.44 216.195.61.223

next request:
[x|y|z] = very long alpha-numerical string (replaced for brevity)
hxxp://82.98.235.70/443?sid=[x]
response: [y]

thereupon downloading binary from:
hxxp://89.188.16.50/css4.dll?sid=[z]
(MS-DOS executable PE for MS Windows (DLL))

then a POST to
hxxp://contacy.info/fd/rep3.php containing er[0]=5.1-&er[02]=-1-cl_wcacrc
and one to
hxxp://fotorsge.com/

followed by attempts to send emails, connecting to smtp on aol.com microsoft.com and cluster-club.info
due to blocking of port 25 i wasnt able to capture those

anyway, afterwards, POSTs are made to
hxxp://208.72.169.15/login.php
hxxp://208.72.169.15/data.php (several times)

and hxxp://208.72.169.15/sdferw.jpg (MS-DOS executable PE)
is downloaded

mass spam mails are being sent, advertising those VPXL websites
(dont worry, they didnt leave my network, just captured a few as examples)


###

thats it for now.
when looking at the ips, most are known to belong to the ip address space used by the RBN

cdpuvbhfzz.com 85.255.121.195
gicia.info masgio.info 72.233.60.106
f1visa.info 72.232.202.162
fotorsge.com 82.98.235.154 89.188.16.24
bfirst.info 72.232.195.26
medicalbillsite.info 72.36.208.210
cluster-club.info 208.72.168.151
216.195.33.44
216.195.61.223
208.72.169.15
208.72.169.54
82.98.235.70
89.188.16.50

hrm,
i forgot two binaries:
hxxp://caatadgouk.com/ddos.php (MS-DOS executable)
hxxp://caatadgouk.com/ddos1.php (MS-DOS executable)

Nice work. I've downloaded the malware samples from the various sites and I'll add them to the malware listserv.

http://www.dslreports.com/forum/r20340373-Does-anyone-know-anything-about-this-advert

I'm pinging my Google contacts.