SiteCheck Signatures

  1. Home
  2. Docs
  3. SiteCheck Signatures
  4. malware-entry-mwjs613

malware-entry-mwjs613

Description: Encoded javascript included and used to distribute malware. It calls a malicious iframe once loaded. Also known as "HTTP Malicious Toolkit Variant Activity 12", the "createCSS" malware and a few others.

Very similar to MW:JS:612, but this one uses external intermediaries to load the malware (/js.php, /count.php, /facebookphp, /showthread.php, etc). Also detected as MW:IFRAME:HD421.

Domains used:


http://avspormarket.com/js.php
http://pvpfordummies.com/js.php
http://drubet.com/facebook.php
http://promelit.biz.ua/facebook.php
http://commenvdex.ce.ms/showthread.php?t=60160016
http://www.evdenevenakliyatucretleri.org/facebook.php

Affecting: Any web site (no traffic specified)

Clean up: Contact b>support@sucuri.net for help or request a malware clean here: http://sucuri.net/signup/

Malware dump:


function createCSS ( selector,d eclaration){var ua=navigator.userAgent.toLowerCase();v..

Full sample: http://tools.sucuri.net/?page=tools&title=blacklist&detail=1904108e77b4e9381c721ad87381e853