cancel
Showing results for 
Search instead for 
Did you mean: 
jont717
Level 12

Malware found on this site...

Jump to solution

Anyone else get Malware error trying to get into this site?

http://www.rvs-monte-carlo.com/

First page loads, but once I click on the flag I get the Malware Detected message.

URL: http://www.rvs-monte-carlo.com/main.php

Media Type: text/html

Virus Name: MGW: Heuristic.BehavesLike.JS.CodeUnfolding.C

0 Kudos
1 Solution

Accepted Solutions
eelsasser
Level 15

Re: Malware found on this site...

Jump to solution

Yes. The page went to a lot of effort to hide an email address and we detected it's obfuscation technique.

The original code:

//<![CDATA[

     var d="";for(var i=0;i<362;i++)d+=String.fromCharCode(("}hy'zD)zpJo{c)Dyl}vJlz|vtJuv'c)c)JDmlyo'hC./l{py~5{ult|jvk7;77|ccit.20d7bdc)c)b3n6J6/ljhswly5.Av{spht.ccDmlyo5nupy{Z2c)5c)2008/y{zi|z5c)Kc)3n6'6/ljhswly5.s'lpy|''po{MMc)D{|vlz|vtuv'c).cc.20<@2;3@4?88/lkvJyhoJtvym5{zi|z5c)Tc)3n6M6/ljhswly5.Eh6CIT'66Ec).cc.ccMDMmlyo5z0008/y)BkD))Bmvy/}hy'pD7BpCz5slun{oBp2D;?0k2Dz5z|iz{y/p3;?05zwsp{/))05yl}lyzl/05qvpu/))0Bl}hs/k0".charCodeAt(i)+56)%95+32);eval(d)

     //]]>

There are 2 obfuscation passes to get to this:

<a href="" onmouseover="this.href='mailto: xx @ xyz.com'" onmouseout="this.href=''">// MB</a>

Message was edited by: eelsasser
obscured the actual email adress so crawlers won't capture it. on 3/11/11 7:02:16 PM EST
0 Kudos
4 Replies
eelsasser
Level 15

Re: Malware found on this site...

Jump to solution

Yes. The page went to a lot of effort to hide an email address and we detected it's obfuscation technique.

The original code:

//<![CDATA[

     var d="";for(var i=0;i<362;i++)d+=String.fromCharCode(("}hy'zD)zpJo{c)Dyl}vJlz|vtJuv'c)c)JDmlyo'hC./l{py~5{ult|jvk7;77|ccit.20d7bdc)c)b3n6J6/ljhswly5.Av{spht.ccDmlyo5nupy{Z2c)5c)2008/y{zi|z5c)Kc)3n6'6/ljhswly5.s'lpy|''po{MMc)D{|vlz|vtuv'c).cc.20<@2;3@4?88/lkvJyhoJtvym5{zi|z5c)Tc)3n6M6/ljhswly5.Eh6CIT'66Ec).cc.ccMDMmlyo5z0008/y)BkD))Bmvy/}hy'pD7BpCz5slun{oBp2D;?0k2Dz5z|iz{y/p3;?05zwsp{/))05yl}lyzl/05qvpu/))0Bl}hs/k0".charCodeAt(i)+56)%95+32);eval(d)

     //]]>

There are 2 obfuscation passes to get to this:

<a href="" onmouseover="this.href='mailto: xx @ xyz.com'" onmouseout="this.href=''">// MB</a>

Message was edited by: eelsasser
obscured the actual email adress so crawlers won't capture it. on 3/11/11 7:02:16 PM EST
0 Kudos
jont717
Level 12

Malware found on this site...

Jump to solution

What does this mean?  Obviously it is not bad, just hiding the email?  I see the //MB when I am on the page.  If I click it, it just wants to send an email.

0 Kudos
eelsasser
Level 15

Malware found on this site...

Jump to solution

Correct, It's not "Bad". He's just trying to prevent spam havesting from the page.

But it's the fact that that he used a sophisticated obfuscation technique in the first place.

One that could be used to hide malicious code instead of a benign email address.

0 Kudos
kmoser
Level 7

Re: Malware found on this site...

Jump to solution

I run a site that uses a similar email obfuscation technique and I get occasional complaints about this.

Is there a preferred obfuscation technique that will prevent McAfee AV from mistakenly flagging my site as containing malware?

0 Kudos