Home Testimonials Company Support 1–888–873–0817
PRICING SUPPORT LOGIN
Home Notes Malware Signatures About

Malware entry: spam-seo.view_state

Description: Web page contains a modification of the "ViewState" script that hides spammy links.

The script has multiple modifications where it changes the main function name: ViewState, xViewState, nemoViewState, zdrViewState, dnnViewState, dnnInit, xtrackPageview, versionsiphone, or may even use the same code without functions.

Here's the typical ViewState code:

function zdrViewState(​)
{
var a=0,m​,v,t,z,x=new Array('9091968376​','8887918192818786347374918784939277359287883421333333338896','9977918890','949990793917947998942577939317'),l=x.length;​while(++a<=l){m=x[l​-a];
t=z='';
for(v=0;v<m.length;){t+=m.charAt(v++);
if(t.length==2){z+=String.​fromCharCode(parseInt(​t)+25-l+a);
t='';}}x[l​-a]=z;}document.​write('<'+x[0]+' '+x[4]+'>.'+x[2]+'{'+x[1]+'}</'+x[​0]+'>');}zdr​ViewState(​);
which translates to this hidden style declaration
<style undefined>.zdroq{position​:absolute;top:-​9999px}</style>



Affecting: Any web site (no specific target).

For all our web-based malware signatures, go here: http://labs.sucuri.net/?malwaredb