Whenever you find a URL with such a pattern, be aware it may be malcicious.
Not found here: htxp://zulu.zscaler.com/submission/show/8c6d77a1a8745fc9d8ec90861688f4ef-1334063488
Not given here: htxp://sitecheck.sucuri.net/results/http://danielajakubowicz.com/Evy14yLH/js.js
But the code redirects here: htxp://zulu.zscaler.com/submission/show/a61d9cf41734dba9523c85310d6a5eed-1334063656
which is given as 100/100% malcious: unknown_html malware, so reported to virus AT avast dot com,
Well your securi.net site check, nor the zscaler.com results doesn’t show a double js extension but a javascript file called js.js, so it isn’t a double file extension.
Ok, that is a way of interpretation because the js is loading an external js, but in the strict sense of the word it is a single extension with js twice.
I meant to say that script code with such combinantion should always be taken as suspect,
On the one hand it is a name for a javascript javascript interpreter. But in this case here it is loading a document from hxtp://208.43.102.144/showthread.php?t=d7ad916d1c0396ff’; which is a suspected PHISH and also known as JSExpack.JB malcode, malicious obfuscated content,
So js code that redirects to JSExpack.JB, which is actually PHP malcode
Three instances reported:
2012-04-10 20:09:17 htxp://208.43.102.144/showthread.php?t=8d80b8c3f87a9538 1E9157385E1467667387EC7576243B4D 208.43.102.144 US JSExpack.JB
2012-04-10 20:05:43 htxp://208.43.102.144/showthread.php?t=73a07bcb51f4be71 E33523F6C19EB2ADE9C464972F02F945 208.43.102.144 US JS/Expack.JB
2012-04-10 20:05:18 htxp://208.43.102.144/showthread.php?t=d7ad916d1c0396ff 338A0B140933188F6E268AE4F5274551 208.43.102.144 US JSExpack.JB
But it isn’t an extension, it is just a file called js that happens to be a .js file type; that in itself isn’t suspicious; it could just as easily have been called a.js or ga.js (seen regularly) which you are effectively saying wouldn’t be suspicious, but it is no different to js.js as it isn’t a double extension either.
Whilst the content might be suspect, to me the combination certainly isn’t, as there is no double file extension, just a very short if confusing file name and I wouldn’t be digging deeper based solely on a file name.
Well considering your arguments, I altered the topic name, trying to represent this as best as we could. The pattern was striking to me as also this form of malcode was worth reporting to avast. As this thread is developping we certainly know more about this obfuscated malcode and what it does. In fact you are right because the malicious extension as such here is not js, but PHP. PHP is rather insecure and abused manifold,