This one came in an e-mail claiming to be from Facebook, with the usual social engineering rubbish;
Or for those of you using HTML e-mail (naughty naughty!);
In line with keeping this basic, for those of you not familiar with decoding these, and not wanting to run them - to decoded this latest variant, change;
Then comment out the following lines (I've used screenshots for these, to save your AVs going nuts);
Lines 1 and 2
Add this, just after line 13;
Once the changes are made, simply run it in Malzilla, and you'll see the lovely mess of code in the bottom box;
Simply copy this, paste it into the top box (where the original code was - and remember to CLEAR THE CONTENTS OF THAT FIRST!), or create a new decoder tab. Click Format Code, and voila - from here you simply look for the magic ?f=, and you've got the variable you need.
As an aside, these are blocking JSUnpack/Wepawet et al now it seems.
Headers for the e-mail, for those that want them;
parahole.ru itself, is housed at;
IP PTR: s118.justhost.in.ua
ASN: 15626 18.104.22.168/24 ITLAS ITL Company
Unless you've got a specific reason not to, you can safely block this entire /24.
URLs for this one;
MD5 for the payload (SpyEye trojan of course, same as the last): 162d507cead24c6e184ea83be33fc209
Blackhole exploit: For those wondering, Part 2
Blackhole exploit: For those wondering