A User Script Virus
Nov 3, 2014 - A Script Virus is spread via webpages and has several properties such as being easy to program, malicious, and highly infectious. Even if you are a rookie programmer you can create a new type of Script Virus in a short time. A Script Virus can destroy system files and sabotage the performance of your computer. Jul 24, 2008 - Virus:VBS/Invadesys.A is a VBScript virus that infects other script files, spreads to removable drives, terminates processes and may delete files. Feb 12, 2009 - New Windows virus attacks PHP, HTML, and ASP scripts. Browser and other applications the user has installed, Microsoft researchers say.
While searching on Google I found a website that shows one set of content to the Google Bot and an other to users (by redirecting to a new domain), and also a very suspicious Javascript file. Maybe it's a tracking cookie or a virus/malware, I don't know, so I am asking here if someone can help explain the code?
If the site is 'safe' why does it redirect a search engine to a normal website, and users to a blank page by loading this .js file? Why should it have a getpassword.asp hosted on the second redirected domain (from sucuri scan) ?
migrated from programmers.stackexchange.comSep 4 '14 at 10:25
This question came from our site for professionals, academics, and students working within the systems development life cycle.
4 Answers
Let's clean this up and look at it more closely, I've also replaced some HTML entities with their text equivalent:
Add a linked image to the page, Chinese characters were encoded but I don't think this is suspicious:
Initialize a bunch of variables, mostly with attributes about the browser and page, such as the HTTP referrer and the current URL, date, browser resolution, etc.
Appears to be looking for any existing cookies set by this application in order to keep a count of how many pages have been visited. This value is incremented and stored in a cookie.
Piloti tajna je u tebi skrivena tablature 2017. Mix - Piloti- Tajna Je U Tebi Skrivena YouTube; Kiki Lesendric & Piloti - Noc kao iz sna. Piloti - Kao Da Je Mesec Stao Samo Za Nas Dvoje - (Audio 1993) - Duration: 4:40. Piloti - Tajna Je U Tebi Skrivena tekst lyrics: Tvoja slika je samo bleda senkasad je drugi cuva kad nisam znao jasve nase jeseni ostace za menea tebi prolece neka drugi daRef.Godine kao sene nocimaplove kraj mene, bude mea ja nemam snaproklet sam sto te ljubimdobijam, a ko da gubimtajna je u tebi skrivenaTe sam godine bio lud za.
It basically seems to be trying to record how many distinct pages you've viewed. Again it uses a cookie to help remember if you've already visited.
Miscellaneous stuff, probably just to cater to differing browser capabilities and settings, such as cookies being disabled.
Write all this information as GET parameters in the source attribute of an image. Your browser will load this then their server can record the data.
Basically it's tracking you, including the page you're viewing, how many times you've viewed the site, how many pages you've viewed, what your browser resolution is, etc.
This could be malicious depending on the circumstances, although most websites run tracking of some form such as Google Analytics. It doesn't pose a threat to the integrity of your machine as someone viewing the site, but it might be a threat to your privacy.
The odd variable names do make it seem like obfuscated malware, but I suspect this is to avoid variable naming conflicts with other JavaScript.
thexacrethexacreNo, it doesn't look like a virus, but definitely like an attempt to track your visits across different sites.
Basically, it collects a bunch of information about your browser, some cookies and which page you've come from, and puts all these as parameters into the URL of an image it loads from a server. That server can then aggregate this information from your visits to this and other sites with the same code into a user profile, which will probably be used to show you targeted advertising.
So this showed up on a site that I had built for somebody. Here is what I can see symptomatically (I am not a programmer).
This software is installed on sites specifically to redirect the google spider bot to pick up a ton of content that is not actually on the targeted site.When in play, you will see the traffic to the website increase significantly, but there are no actual benefits to be seen.What these guys are doing is telling google that there is way more content on a website than actually is. When someone clicks on one of these fake links from a google search, they are redirected to a page that sells goods on legitimate sites.
What is happening is that these guys are affiliates of the sites that are selling the goods and they are getting commissions from each on-line sale.
They are parasites who exploit thousands of other peoples' sites to make money for themselves.
I was faced with the same alerts in our environment, so I was curious what is generating this traffic. When you think about it, there needs to be some malware installed in your browser as a plugin or similar, because I can clearly see Google search results with this URL.
Example:
When you go to the page http://www.qupingche.com/comment/show/103, it's a Chinese website that I'm 100% sure you didn't visit. On its page, you can see the web51.la stuff in this script:
And when you check the variable of the JavaScript, it's incrementing requested location by one every 10 seconds.
This is what I saw:
And this is the latest one with the same content:
Bat Virus Script
So when you see this request from your client, then there needs to be some malware generating this request on your computer!
TildalWave