What is this hidden iFrame MW:IFRAME:HD202 -malware?

Viruses and worms
1

See: htxp://" scrolling=“no” frameborder=“0” hspace="0 found at htxp://kookoo.ru
Was part of malware campaign → http://evuln.com/labs/iframe/www.lexic.ru/
Found also here: http://maldb.com/hotlinetours.ru/ and in above website: http://maldb.com/kookoo.ru/
Also on a malware block list: https://easylist-downloads.adblockplus.org/malwaredomains_full.txt
and so blocked in my browser via ABP extension,
this according to http://www.mywot.com/en/scorecard/lexic.ru?utm_source=addon&utm_content=popup-donuts

Also Suspicious Text before HTML (simple sunrise data?)
Suspicious Script:
htxp://www.reg.ru/js/rereg_informer.js
.ru/js/rereg_informer.js 301 moved permanently

301 moved permane
Recommended scan: http://sitecheck.sucuri.net/results/kookoo.ru
Next to the iFrame malcode also this malware:
http://labs.sucuri.net/db/malware/malware-entry-mwjsanon7

pol

2

9/50 on Virustotal: https://www.virustotal.com/en/url/245aa3bb040fd760e94a374e0f32f880959464d96048043f43ef40adb40de99a/analysis/1383089986/
Zulu: http://zulu.zscaler.com/submission/show/f11d73e4ba25708e945fc175b7f336a0-1383089990

Zulu reports some suspicious external elements.

3

In-depth checking of the Zscaler Zulu external elements for Steven Winderlich:

  1. javascript check: Suspicious

…ive location: -https://www.reg.ru/js/rereg_informer.js 301 moved permanently

301 moved permanently

<…

  1. error check there:
    Suspicious Suspicious 404 Page:
    .ru/404-test.js 301 moved permanently

    301 mo
    -404 error check suspicious Suspicious 404 Page:
    .ru/js/api/share.js?10" type=“text/javascript”> <script src=“/javascripts/base_packaged.js?1383061208” type="te

  2. htxp://www.platnijopros.ru/images/Banners/240x400.swf seems non-malicious (server status - default and safe)
    but site has another suspicious script Suspicious Script:
    platnijopros dot ru/js/main.js (is improved version of script by Kevin van Zonneveld)
    .ru/complete_page2/?id='+udata.val()); */ if (data[4] == 1) window.location.replace(slink.val()); else window.location.repla

  3. Re: http://jsunpack.jeek.org/?report=77b9aa0033444446a975a6fb67575eda494c7a13

  4. No significant issues detected. Also see: http://jsmeter.info/48kmov/1#results (PreScreenAdv?)

  5. Not identical in browsers: Not identical

Google: 20520 bytes Firefox: 20448 bytes
Diff: 72 bytes

6.1. First difference:
cks/photo/880" width=“85” height=“85” alt=“”>

ð�ñ�ð»ð¸ñ�ð½…

6.2. Read about this diff. here: http://html5doctor.com/the-figure-figcaption-elements/ credits go to link author = Richard Clark

polonus