Six Apart Forums WMF exploit

This is a follow on post on the exploitation of the Invision Forum used by Six Apart for its Movable Type free Support.
The code that is serving up the WMF exploits is in an IFRAME using an obfuscated url. Using a URL deobfuscator over at, I found that the iframe is calling (danger will robinson, danger). Which I believe is hosted in Russia. Their DNS server is on the same IP block.
If you are running Internet Explorer when you go to that website you get exploited.
Spoofing IE6 on XPsp2 I get an obfuscated script. Not sure how to detangle that. was hit by this bad guy on May 8th. They were also running Invision. So this has been occurring for a while.