Antivirus-XP-2008 BlackHat Adwords Campaign (to be continued)

As I wrote about Rogue Anti-Spyware adverts on Google Adwordsthere was a rogue antispyware Anti-Virus-XP-2008,which have an Google Adwords campaign on Google.
So after that on the next day I checked it and I found nothing related to this. And what can I see now? New domain www.xp-2008.com,updated exe-file (now in .zip archive)...and the same trojan-downloader into this.
Virustotal info:
File Antivirus-XP-2008.zip received on 08.07.2008 13:35:34 (CET)
Current status: finished
Result: 15/36 (41.67%)
Compact
Print results Antivirus Version Last Update Result
AhnLab-V3 2008.8.7.0 2008.08.07 -
AntiVir 7.8.1.19 2008.08.07 TR/Dldr.Small.AAJM.18
Authentium 5.1.0.4 2008.08.07 -
Avast 4.8.1195.0 2008.08.06 Win32:Trojan-gen {Other}
AVG 8.0.0.156 2008.08.07 Downloader.Generic7.ADFI
BitDefender 7.2 2008.08.07 -
CAT-QuickHeal 9.50 2008.08.06 (Suspicious) - DNAScan
ClamAV 0.93.1 2008.08.07 -
DrWeb 4.44.0.09170 2008.08.07 -
eSafe 7.0.17.0 2008.08.06 Suspicious File
eTrust-Vet 31.6.6017 2008.08.07 -
Ewido 4.0 2008.08.07 -
F-Prot 4.4.4.56 2008.08.06 -
F-Secure 7.60.13501.0 2008.08.07 Trojan-Downloader.Win32.Small.aajm
Fortinet 3.14.0.0 2008.08.07 W32/PolySmall.BP!tr
GData 2.0.7306.1023 2008.08.07 Trojan-Downloader.Win32.Small.aajm
Ikarus T3.1.1.34.0 2008.08.07 Trojan.Win32.Busky.EI
K7AntiVirus 7.10.405 2008.08.07 -
Kaspersky 7.0.0.125 2008.08.07 Trojan-Downloader.Win32.Small.aajm
McAfee 5355 2008.08.06 -
Microsoft 1.3807 2008.08.07 Trojan:Win32/Busky.EI
NOD32v2 3336 2008.08.07 a variant of Win32/TrojanDownloader.FakeAlert.BP
Norman 5.80.02 2008.08.06 -
Panda 9.0.0.4 2008.08.06 -
PCTools 4.4.2.0 2008.08.06 -
Prevx1 V2 2008.08.07 Fraudulent Security Program
Rising 20.56.32.00 2008.08.07 -
Sophos 4.31.0 2008.08.07 -
Sunbelt 3.1.1537.1 2008.08.07 -
Symantec 10 2008.08.07 Downloader.MisleadApp
TheHacker 6.2.96.393 2008.08.04 -
TrendMicro 8.700.0.1004 2008.08.07 -
VBA32 3.12.8.2 2008.08.06 -
ViRobot 2008.8.7.1328 2008.08.07 -
VirusBuster 4.5.11.0 2008.08.06 -
Webwasher-Gateway 6.6.2 2008.08.07 Trojan.Dldr.Small.AAJM.18

And all the first places...

Adrenalin Spyware - the latest version of Nuclear Grabber

Known hacker/spammer/carder Corpse has been annonced the new version of Nuclear Grabber (code name "Adrenalin")
Description:
1)Advanced injects system - injection of html/javascript code into pages/javascript files or changing one code piece to another. All injections are in stream mode - injected page is loading changed! No stupid BHO autoruns, like in another shiny trojans. All is very effective.
2)Injects control system - get/post filter under the mask
3)"Catching" of pieces of html-pages (like balance, settings, etc).
4)FTP-Grabber - traffic sniifer allows to detect logins/passwords to FTP.
5)Certificates collector - dropping of all installed certificates in the system.
6)Clean cookies/flashcookies
7)AntibrowserID
8)Form-words grabbing (like *bank, *login, *ssn,etc)
9)Advanced formgrabber. Filters included. All logs in good readable after catching.
10)Redirect fakes
11)Screenshots
12)TheBat! catcher
13)Classic keylogger
14)Advanced anti-detect ; Rootkit+
15)AV-function - allows to delete all BHO-trojans and other adware. Best solution for future "surviving" of this bot into infected system.
16)Working in windows without exe-file
17)Socks4/5 + http(s) "proxy"
18)Shell + Backshell
19)Resident loader
No server needed! Only hosting with-PHP!

Rogue Anti-Spyware adverts on Google Adwords

Let's enter "antispyware" in Google.
Some interesting results shown in the image above...
Many users remember rogue anti-spyware alarmers like Antivirus XP-2009.
On screenshot you can see many fake CheckMark, PC-Mark, Intel logos.
Funny "antispyware" with 112kb in size...
Let's ask virustotal:
AhnLab-V3 2008.7.29.1 2008.08.04 -
AntiVir 7.8.1.15 2008.08.04 TR/Crypt.XPACK.Gen
Authentium 5.1.0.4 2008.08.03 -
Avast 4.8.1195.0 2008.08.03 -
AVG 8.0.0.156 2008.08.03 I-Worm/Nuwar.W
BitDefender 7.2 2008.08.04 Trojan.Peed.JQM
CAT-QuickHeal 9.50 2008.08.02 (Suspicious) - DNAScan
ClamAV 0.93.1 2008.08.04 -
DrWeb 4.44.0.09170 2008.08.04 -
eSafe 7.0.17.0 2008.08.03 Suspicious File
eTrust-Vet 31.6.6007 2008.08.04 -
Ewido 4.0 2008.08.03 -
F-Prot 4.4.4.56 2008.08.03 -
F-Secure 7.60.13501.0 2008.08.04 -
Fortinet 3.14.0.0 2008.08.04 -
GData 2.0.7306.1023 2008.08.04 -
Ikarus T3.1.1.34.0 2008.08.04 -
K7AntiVirus 7.10.402 2008.08.02 -
Kaspersky 7.0.0.125 2008.08.04 -
McAfee 5352 2008.08.01 -
Microsoft 1.3807 2008.08.04 -
NOD32v2 3323 2008.08.04 [b]a variant of Win32/TrojanDownloader.FakeAlert.FF[/b]
Norman 5.80.02 2008.08.04 -
Panda 9.0.0.4 2008.08.03 -
PCTools 4.4.2.0 2008.08.03 -
Prevx1 V2 2008.08.04 -
Rising 20.56.02.00 2008.08.04 -
Sophos 4.31.0 2008.08.04 Mal/Dorf-A
Sunbelt 3.1.1537.1 2008.08.01 -
Symantec 10 2008.08.04 -
TheHacker 6.2.96.393 2008.08.04 -
TrendMicro 8.700.0.1004 2008.08.04 -
VBA32 3.12.8.2 2008.08.04 -
ViRobot 2008.8.1.1321 2008.08.01 -
VirusBuster 4.5.11.0 2008.08.03 -
Webwasher-Gateway 6.6.2 2008.08.04 Trojan.Crypt.XPACK.Gen
It's against Google TOS, isn't it?

Hacked domains serving malware domains

I found interesting doorways pages located exactly on hacked edu domain or simply on hacked high PR-ed domains. You can see it by yorself by putting "he too is necessary to me. How it to order? Bob : On this site it is possible to find the I have found it! Anonyme : I know a web-site where there is a . I can give the link." keyword in Yahoo. This words appears to be defauld in doorway generator, used for Black-Hat Seo.
Many of the results shown by Yahoo is redirecting to pharma sites, like Canadian Pharmacy,described by Dancho Danchev in his blog.
Redirect type: include script.js where script.js - is encrypted javascript with redirect window.location=...
Most of black hatters uses TDS for right transporting their traffic like in.cgi?s=x¶metr=x