Hi forum friends,
Well I have to say that as the downloader tries to contact to steoo dot com the avast Webshield will neatly block the malware URL as JS:Downloader-AM [Trj], so we are protected by the Webshield against this exploit that might even be a threat on Vista SP1 (F-Secure flags as Trojan:W32/Agent.IHN.),
polonus
system
3
avast doesn’t pick up on the script as it appears on the original webpage, but it does alert on malzilla when de-obfuscating it.
Hi spg SCOTT,
Thanks for your giving your observations while testing, very rewarding and helpful you checked that. As I got the webshield alert when I trying to open up a page with the original exploit code of the exploit used, that could be interpreted similar to what you experienced after de-obfuscation. So the morphed version could go under the radar, report that to virus AT avast dot com so we can have protection for the obfuscated variant as well.
polonus
system
5
Sent, via email and chest 
I am guessing a little here, but since avast can catch the plain form, it may not be such a big thing, since once the connection is attempted I would assume that is where it catches it. It would be nice to get it earlier though 