Sucuri Malware Labs

Sucuri on Twitter Sucuri on Facebook Sucuri on LinkedIn

Malware entry: MW:GDD:3Home  |  Notes  |  Malware data  |  Signatures  |  Tools  |  About

Description:

Code used to insert a malicious javascript on many sites hosted at GoDaddy (the latest round of attacks using meqashopperinfo.com is affecting more providers).

Loads the malware from:

http://myblindstudioinfoonline.com/ll.php
http://theblindstudioinfoonline.com/ll.php
http://meqashopperinfo.com/js.php
http://meqashoppercom.com
http://meqashopperonline.com
http://insomniaboldinfocom.com/mm.php
http://voip.dialistico.net/products/voip.php

Generally infecting all PHP files.

Clean up:

Run the following script: http://blog.sucuri.net/2010/05/simple-cleanup-solution-for-latest.html

Malware dump (base 64 added to the .php files):



For all our web-based malware signatures, go here: http://labs.sucuri.net/?malwaredb