New(?) php attack http://*/indexz29X.php

I’m not sure if this is new or not, but avast 6.0.1125 database version 110602-2 didn’t pick it up, nor did Malwarebytes’ Anti-Malware 1.51.0.1200 database version 6756 (2011-06-02). Spybot - Search & Destroy 1.6.2.46 (2011-06-01 detection update) didn’t catch it either.

The spam hit my e-mail two days ago on both my PC and my mobile device. The indexz29X.php appears to be some sort of virus or at the very least an e-mail hijack that turns your e-mail into a spam-bot.

I’m not knowledgeable enough to tinker with it so I’ll leave that to the experts. I am knowledgeable enough not to click on spam links in my e-mails though. I think it’s safe to say that any URL containing “indexz29X.php” is suspicious to say the least.

VirusTotal has nothing on them. Wepawet shows it as benign and Uiribl has only the fautenhau-gastronomie.de site blacklisted.

I’m posting the links below for the security experts to play with from safe test-boxes.

THE LINKS BELOW ARE THE SUSPECTED PHP VIRUS LINKS: CLICK AT YOUR OWN RISK
hxtp://www.gaqm.fr/indexz29X.php
hxtp://www.claudioschifano.com/indexz29X.php
hxtp://www.international-exhibitionist.org/indexz29X.php
hxtp://www.nmeh.mobi/indexz29X.php
hxtp://web89.server102.greatnet.de/indexz29X.php
hxtp://www.fautenhau-gastronomie.de/indexz29X.php
hxtp://www.ilfieramosca.it/indexz29X.php
hxtp://bytefest.hostuju.cz/indexz29X.php

and a new iteration:
hxtp://s013w192.srv13.mw-internet.net/indexz33X.php

All sites appear to redirect to:
Possible malware/virus link.
hxtp://rxpharmacytabletsdrugstore.net

TrendMicro reports this as a Malware site and Opera reports this as a phishing site.

Wepawet had the following results on this site, also showing it to be benign.

http://wepawet.iseclab.org/view.php?hash=dfd2e96b4cc5e58848ce91d87a30a76d&t=1307085785&type=js

Please deactivate the links, so that they are unclickable and foward them to virus(@)avast.com

Hi spg SCOTT,

rxpharmacytabletsdrugstore dot net has no DS records,
RR has value, 95.64.45.29, a RR has value 89.45.14.211, a RR has value 89.45.14.2, a RR has value 91.200.240.250, a RR has value 95.64.45.23
Timed out and failed no sigs found either, look here, e.g.: http://www.projecthoneypot.org/ip_95.64.45.29 and http://www.onthesamehost.com/?q=95.64.45.23

polonus