If you google for l61.3322.org you will find LOTS of “script” links to:
http://l61DOT3322DOTorg/eDOTjs. That first letter is an L not a 1.
Be careful that java script attempts to exploit vulnerabilities in some browsers.
Fellow Handler BojanZ stated this about that malicious piece of java:
“The attached JS file calls other JS files (from various servers). At
least one of them tries to exploit an old vulnerability (MS06-014 -
Microsoft Data Access Components (MDAC)). Other JS files redirect the
browser to different sites:
http://www.777seo.com/seo.php?username=happygold
http://www.ovosearch.com/advertising/?ref=happygold
http://kikclick.com/portal/?ref=happygold
(these are click through affiliate web sites)”
3322.org has hosted malware several times in the past including a element of the zero day word exploit that was reported in 05-2005
http://isc.sans.org/diary.html?storyid=1348
It was also used as the ftp download site for a SAV based worm 12-2005.
https://isc.sans.org/diary.html?storyid=1945
Thanks Bryan and Evan for bringing this to our attention.
I recommend you monitor your IDS, firewall and other logs for access to l61DOT3322DOTORG if you see any access you should check the systems that accessed it for malware. You may decide to block that site within your enterprise. Many enterprise and educational networks did block 3322.org during the word zero day exploit in 2005.