I've been seeing these for some time now (indeed, I've been seeing attempts at exploiting the hpHosts server since atleast May), and figured I'd collate a list of those known to have been around, both old and new.
See the following for the results of those that were live/dead as of a few mins ago (note that there's been thousands of these domains since the attacks against everyone began, the list doesn't include them all as not all of them have been documented (or if they were, I couldn't locate them));
Some of the domains were found courtesy of the fantastic list at;
I had planned to do a write-up on how the exploit was attempted, but Michael (Bloombit) has done a much more detailed job than I had planned, so I'll leave that to him.
Connie also submitted one of these for inclusion in hpHosts toward the end of August, and further analysis saw the domain being led to, changing from time to time, before it finally pointed back to itself;
In all cases however, both old and new, the final result was the exploit attempting
to peddle the now well known rogue, AntivirusXP. See the following for an example;
... and not surprisingly, almost all of the newer one's I've spotted, have used fastflux. Oh and nope, the "NESCO Accounting and Finance" displayed on all of the resulting sites homepages, isn't real either ;o)