I've dug around a bit more, and noticed that rad.msn.com does have a DLL
with the same name. However, this is not downloaded to the browser - it's an
ISAPI DLL that runs on the rad.msn.com web server and spits out HTML
adverts. Perfectly safe.
What appears to have happened is that a virus/trojan/worm has taken
advantage of this (and has been doing for some years, there are posts going
back to at least mid 2003 about this) to modify hosts files to redirect
requests for rad.msn.com to another server where there is a DLL with the
same name located, that may be malicious.
There is a third possibility - one of the rad.msn.com servers is
misconfigured, or occassionally has a fit, and instead of executing the
ISAPI DLL ends up trying to send it to the browser (after all, the browser
requested the URL albeit due to a Hotmail advert). In this case the DLL
itself is harmless, but may trigger an alarm as it's a binary file being
sent rather than the expected HTML.
If you did not have a host entry already that pointed rad.msn.com to a
different IP than those shown in an nslookup, I'd suspect a prior infection
by something that does it's best to hide it's intentions by pretending to be
a MS advert server and attempts to install the DLL (this will however
normally require a lot more work than just downloading the DLL, there would
have to be something already on your machine watching for it to arrive in
the temporary internet files folder so it can do something with it).
If there was no hosts entry prior to you adding the loopback address, it
could well be a MS ad server hiccup, maybe exacerbated by FireFox rather
than IE. I've tested a number of URLS (eg.
http://rad.msn.com/ADSAdClient31.dll?GetAd?PG=IMSUKM?SC=HF?ID=0003bffd852fcb7f)
which do exactly what I'd expect - in both IE and FireFox return a bit of
Javascript and a banner advert, nothing more.
Dan
