SiteCheck Signatures

  1. Home
  2. Signatures
  3. SiteCheck Signatures
  4. malware-entry-mwjs612

malware-entry-mwjs612

Description: Encoded javascript included and used to distribute malware. It calls a malicious iframe once loaded. Also known as "HTTP Malicious Toolkit Variant Activity 12" or "createCSS" malware.

Domains used:


eurox5.biz
http://gator65.hostgator.com/~db905/tds/out.php?s_id=1 (currently disabled)

Affecting: Any web site (no traffic specified)

Clean up: Malware is encoded, but a search / replace should fix it. Contact b>support@sucuri.net if you have questions or want us to clean it up for you.

Malware dump:


function createCSS(selector , declaration){var ua=navigator.userAgent.toLowerCase();var isIE=(/msie/.test(uas))&&!(/opera/.test(uas))&&(/win/.test(uas));var style_node=document.createElement("style");if(!isIE)style_node.innerHTML=selector+" {"+declaration+"}";...

Full sample: http://tools.sucuri.net/?page=tools&title=blacklist&detail=1904108e77b4e9381c721ad87381e853