Hi Michael,
You are welcome. Like to thank you also for the inspiration, we as users here inspire each other and we grow abilities in doing this together.
As Yandex produces Troj/JSRedir-NZ via SOPHOS and that equals avast's JS:Includer-BBV [Trj] detection, we already have solved the greater part of this riddle.
Furthermore as we can establish that the code for this detection is still there and we can point to that we know enough.
Then analyzing what is on that site at
http://fetch.scritch.org/ made me stumble on the term hotlog going over some script found there and then the online link with the possible exploit method was an additional bonus when going all through this.
That is more or less my line of reasoning here, helped by my dissecting experience from years and years. Just explain all this so you can track this back for educational purposes.
polonus
