See: hxtp://vscan.urlvoid.com/analysis/7cf0cd2fee53fe5fd3348fdbd6ce5b97/cmVwb3J0LXBocA==/
detected: http://urlquery.net/report.php?id=58222
First detection is right because malware now down,
polonus
See: hxtp://vscan.urlvoid.com/analysis/7cf0cd2fee53fe5fd3348fdbd6ce5b97/cmVwb3J0LXBocA==/
detected: http://urlquery.net/report.php?id=58222
First detection is right because malware now down,
polonus
A rescan still reports Blackhole?: http://urlquery.net/report.php?id=58240
Didn’t know the code was that heavily obfuscated. :o
Interesting algorithm to join the variable using eval.
Hi !Donovan,
This is used to load malware from external web sites while not being visible to the user. It is also known as Trojan.JS.Iframe on different anti virus products.
Also related to this malware: http://sucuri.net/malware-injection-sidename-js.html (that generates the Blackhole exploit alert on some AVs)
(info link author = dcid),
polonus
Hi folks,
Avast Webshield has detection for this, goin’ to htxp://tijdreizen.com/website/index.php with malzilla sandboxed gives a JS:Iframe-CG[Trj] alert,
polonus