Description: Encoded javascript included and used to distribute malware. It calls a malicious iframe once loaded. Also known as "HTTP Malicious Toolkit Variant Activity 12", the "createCSS" malware and a few others.
Very similar to MW:JS:612, but this one uses external intermediaries to load the malware (/js.php, /count.php, /facebookphp, /showthread.php, etc). Also detected as MW:IFRAME:HD421.
Domains used:
http://avspormarket.com/js.php
http://pvpfordummies.com/js.php
http://drubet.com/facebook.php
http://promelit.biz.ua/facebook.php
http://commenvdex.ce.ms/showthread.php?t=60160016
http://www.evdenevenakliyatucretleri.org/facebook.php
Affecting: Any web site (no traffic specified)
Clean up: Contact b>support@sucuri.net</b for help or request a malware clean here: http://sucuri.net/signup/
Malware dump:
function createCSS ( selector,d eclaration){var ua=navigator.userAgent.toLowerCase();v..
Full sample: http://tools.sucuri.net/?page=tools&title=blacklist&detail=1904108e77b4e9381c721ad87381e853