!!Warning!!

www.d2hacking.com is pointed at http://www.pixelmethods.com/d2h/index2.htm and resolves to 209.120.206.164.

pixelmethods.com is pointed at the Nameservers own by muderopolis.com

http://www.pixelmethods.com/d2h/dls/aim.zip
http://www.pixelmethods.com/d2h/dls/d2hackit.zip
http://www.pixelmethods.com/d2h/dls/herzonggol.zip
http://www.pixelmethods.com/d2h/dls/isspamsetup.zip
http://www.pixelmethods.com/d2h/dls/pinda.zip
http://www.pixelmethods.com/d2h/dls/wirt.zip
http://www.pixelmethods.com/d2h/dls/yayD2H.zip

Every single one of these files contains the same file, setup.exe which is a trojan. The payload is
c:\mswinsck.ocx
c:\kernel32.exe
c:\conversions.ini

conversions.ini allows the typing of characters that you cannot see, and this trojan allows the access to steal the account name // pw and cdkeys of the game Diablo 2

Blizzard.com has released on official warning at http://www.battle.net/forums/thread...nt=0#post322018

Please remove these files and I certainly hope that this user is removed from your services

fyi: This person is in the Diablo 2 community as TacoX, a recent administrator at www.zelaron.com