This particular one starts at fivespot-atl.com (IP: 220.127.116.11 - constitution.networkredux.net). with a URL that instantly screams "I'm gonna infect you, but I gots some really cool porn for you!";
Viewing the source code, shows us several rather interesting links;
hxxp://wewew.googlecode.com/files/tube.gif (VirusTotal results)
I checked the tube.gif file, and the .js/.css files hosted on the GoogleCode URL, but couldn't see anything malicious, so is likely still in development.
So what does the fivespot-atl.com URL actually look like? Well a WordPress blog actually. Though it also includes one of our very familiar looking "Woops, ya need a codec/flass to view this";
Clicking on this "video" results in our being take through su7.us (IP: 18.104.22.168 - Real International Business Corp. - known malware block), and given a fake flash installer, identified as PrivacyCenter by NOD32 (quarantined it when I tried obtaining a copy);
This file is downloaded from secure-center-antivirus.com;
Hint: promo1 is also valid as promo2/3 and the vname seems to be anything you like - it's just used as the name of the .exe to be downloadedThe secure-center-antivirus.com IP, 22.214.171.124 is shared by over 20 other malicious domains, including;
Net-block information for 91.212.132.*
This block also appears to be directly related (see parent: 91.212.) to the group I blogged about, that are also involved in the Live.com poisoning (not really surprising) and blogged by Danchev earlier this week;
What is more interesting, is that one of the domains reported to me as being hacked, tkdtutor.com (IP: 126.96.36.199 - xerxes.lunarpages.com), also suggests a possible relation to the group(s) responsible for the exploitation of the sites hosted by Lunarpages (and yes, those previously reported, are STILL carrying the malicious code - nice going there LunarPages!).