Description: A suspicious javascript remote include was identified in the site. It it used to load malware from a PHP file from external locations and uses document-write to encode the request.
This is done to hide the original URL and make it harder for scanners to identify the malware.
Not very common type of malware. Some URLs:
http://asaunirg.com.br//js/0day.php
.. a few more..
Those are often used to redirect the browser of anyone visiting the site to Fake AV (anti virus). However, since this is a generic rule, the malware can change from site to site.
Affecting: Any web site (no specific target).
Clean up: Nothing specific.
Last update: Aug/2012
Malware dump: