I did some Googling using the the code strings in the exploit. According to K-OTik Security Research this is commonly called Trojan.ByteVerify. It exploits the Internet Explorer/Outlook CHM File Processing Arbitrary Code Execution Vulnerability (MS04-013) and the Microsoft Virtual Machine Remote Code Execution Vulnerability (MS03-011).
So it looks like nothing really interesting is going on here. No new exploits or anything like that. I was hoping the use of 404 would be significant, but it seems they just used that to get traffic. If indeed they compromised 404 on the webserver as a whole, they could get quick a bit of accidental traffic.
The following is output from using a text based browser built into Sam Spade. To me it shows that I am getting redirected by the server. Am I wrong?
04/15/05 23:26:22 Browsing http://www.[edited].org/asdfasdfasdf.html
Fetching http://www.[edited].org/asdfasdfasdf.html …
GET /asdfasdfasdf.html HTTP/1.1
User-Agent: Sam Spade 1.14
HTTP/1.1 302 Found
Date: Sat, 16 Apr 2005 03:26:31 GMT
Server: Apache/1.3.33 (Unix) FrontPage/184.108.40.20635 mod_ssl/2.8.22 OpenSSL/0.9.7d PowWeb/1.1
Location: http://euscorp.net/ error404.html
Content-Type: text/html; charset=iso-8859-1
The document has moved here.
< edit > placed space in the url to make it less likely someone will accidentally go to the exploit page. Remove part of the html code, dont want to confuse any browsers with multiple html tags.