The latest reasons for avoiding this block come courtesy of Jey Joseph, who registered two domains that attempt to foist malware on the unsuspecting visitor. The first domain, av-antivir-check.com, contains a link to download the malware from his other domain, download-1-software.com, which interestingly, downloads the malware irrespective of how you get there (go straight to the domain and instead of a website, it foists the same file on you);
This file is UPX packed and is actually rather small, indicating it's very likely a downloader, rather than the actual malware itself (22K packed, 49K unpacked).
VirusTotal results for the original (packed) file;
VirusTotal results for the unpacked file;
Detection for both is extremely poor.
This decodes to;
Notice the URLs?
http://188.8.131.52/?id=4027&q=keywod <--- our friends at Cernel
Nice - the script infects you (if you've not infected yourself first), then gives you some hints to lovely little porn sites (that are guaranteed to foist more crap on you).
vURL Online Results for: av-antivir-check.com
Looking at the scripts that are loaded (bottom of av-antivir-check.com), doesn't show very much;
So where does the other 40 odd reasons come from? Well, hpHosts actually. There's currently 46 sites hosted on 74.50.117.*, listed in hpHosts;
For clarity, the following is the WhoIs for the av-antivir-check.com and download-1-software.com;