Zief[dot]pl and a handful of other domains hosted on the same IP address (61.235.117.71) are currently attempting to distribute Trojan W32/Virut by using various client side exploits. The Trojan W32/Virut family is particularly nasty and  consists of file infecting viruses that target and infect .EXE and .SCR files accessed on infected systems. Win32/Virut also opens a backdoor by connecting to an IRC server, allowing a remote attacker to download and run files on the infected computer.

Upon execution Win32/Virut will open a connection with one of the IRC servers over a non standard IRC port. This channel is used for communication allowing the attacker to control the machine or download additional malicious components onto the system.

One example:

Server: proxima.ircgalaxy.pl
Port: 65520
Channel: &virtu

What happened when Google visited this site?

Of the 42 pages we tested on the site over the past 90 days, 0 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2010-01-30, and the last time suspicious content was found on this site was on 2010-01-30.Malicious software includes 738 exploit(s), 416 virus, 320 scripting exploit(s).

This site was hosted on 3 network(s) including AS4134 (China Telecom backbone), AS9394 (CRNET), AS38356 (TIMENET).

This campaign has been going on for more then 30 days from the same IP address hosted in China (big surprise).

inetnum: 61.235.117.0 – 61.235.117.255
netname: CRGdSzS
country: CN
descr: China Railcom Guangdong Shenzhen Subbranch
descr: Telecommunication Company
descr: Shenzhen City,Guangdong Province

All activity including timeframe, domains, md5s and IP’s can be found here.

**Update 02/27/2010**
A more detailed analysis of Trojan Virut can be found here. Thanks Nicolas Brulez for bringing this to my attention.