What is this hidden iFrame MW:IFRAME:HD202 -malware?

[polonus]

See: htxp://" scrolling="no" frameborder="0" hspace="0 found at htxp://kookoo.ru
Was part of malware campaign -> http://evuln.com/labs/iframe/www.lexic.ru/
Found also here: http://maldb.com/hotlinetours.ru/ and in above website: http://maldb.com/kookoo.ru/
Also on a malware block list: https://easylist-downloads.adblockplus.org/malwaredomains_full.txt
and so blocked in my browser via ABP extension,
this according to http://www.mywot.com/en/scorecard/lexic.ru?utm_source=addon&utm_content=popup-donuts

Also Suspicious Text before HTML  <!--03:06:40--><!-- 7.2.w_i --><!-- 8.2.w_i --><!-- 8.2.2.2.w_i -->  (simple sunrise data?)
Suspicious Script:
   htxp://www.reg.ru/js/rereg_informer.js
   .ru/js/rereg_informer.js <html> <head><title>301 moved permanently</title></head> <body bgcolor="white"> <center><h1>301 moved permane
Recommended scan: http://sitecheck.sucuri.net/results/kookoo.ru
Next to the iFrame malcode also this malware:
http://labs.sucuri.net/db/malware/malware-entry-mwjsanon7

pol

[Secondmineboy]

9/50 on Virustotal: https://www.virustotal.com/en/url/245aa3bb040fd760e94a374e0f32f880959464d96048043f43ef40adb40de99a/analysis/1383089986/
Zulu: http://zulu.zscaler.com/submission/show/f11d73e4ba25708e945fc175b7f336a0-1383089990

Zulu reports some suspicious external elements.

[polonus]

In-depth checking of the Zscaler Zulu external elements for Steven Winderlich:

1. javascript check: Suspicious

...ive location: -https://www.reg.ru/js/rereg_informer.js <html> <head><title>301 moved permanently</title></head> <body bgcolor="white"> <center><h1>301 moved permanently</h1><...

2. error check there:
Suspicious  Suspicious 404 Page:
   .ru/404-test.js <html> <head><title>301 moved permanently</title></head> <body bgcolor="white"> <center><h1>301 mo
-404 error check suspicious Suspicious 404 Page:
   .ru/js/api/share.js?10" type="text/javascript"></script> <script src="/javascripts/base_packaged.js?1383061208" type="te

3. htxp://www.platnijopros.ru/images/Banners/240x400.swf seems non-malicious (server status - default and safe)
but site has another suspicious script Suspicious Script:
   platnijopros dot ru/js/main.js (is improved version of script by Kevin van Zonneveld)
   .ru/complete_page2/?id='+udata.val()); */ if (data[4] == 1) window.location.replace(slink.val()); else window.location.repla

4. Re: http://jsunpack.jeek.org/?report=77b9aa0033444446a975a6fb67575eda494c7a13

5. No significant issues detected. Also see: http://jsmeter.info/48kmov/1#results  (PreScreenAdv?)

6. Not identical in browsers: Not identical

Google: 20520 bytes       Firefox: 20448 bytes
Diff:         72 bytes

6.1. First difference:
cks/photo/880" width="85" height="85" alt=""></p> <figcaption> <div class="top"></div> <div class="middle"></div> <div class="bottom"></div> <article> ð�ñ�ð»ð¸ñ�ð½...

6.2. Read about this diff. here: http://html5doctor.com/the-figure-figcaption-elements/  credits go to link author = Richard Clark

polonus