Obfuscated Script.f!58
Obfuscated Script.f!58 is an identification given to any web pages that are modified to host malicious content. This detection is for Obfuscated Java Script code that Trojan has injected to compromised web page. The script intends to drop additional malware onto visitor’s computer that causes Internet browser to redirect to unwanted web site that hosts more threats.
Typically, this Obfuscated Script contains exploits that targets several vulnerabilities in web browser and plug-in such as the following:
- Microsoft Data Access Components (MDAC) Code Execution Vulnerability ( As described in Exploit-MS06-014)
- Microsoft XMLHTTP 4.0 ActiveX Control Vulnerability (As described in Exploit-XMLCoreSrvcs)
- Sky Software FileView ActiveX control buffer overflow vulnerability (As described in Exploit-CVE2006-5198)
- Microsoft Windows Shell Remote Code Execution Vulnerability (As described in Exploit-CVE2006-3730)
- BaoFeng ActiveX Control Remote Buffer Overflow vulnerability (Exploit-BaoFeng.a)
Since Obfuscated Script.f!58 is a generic detection, other variants may possess similar characteristics. Obfuscated Script.f!58 usually resides on legitimate web sites that are compromised by the Trojan.
Damage Level: Medium
Systems Affected: Windows 9x, 2000, XP, Windows Vista
Distribution
Obfuscated Script can be acquired from a Trojan-infected legitimate web sites. It tends to infect visitors computer by exploiting certain vulnerabilities found on Internet browser. Upon infection, browser is redirected to a different domain that hosts separate malware threats.
How to Remove Obfuscated Script.f!58
1. Temporarily Disable System Restore (Windows Me/XP). [how to]
2. To be able to identify even the most recent variant of Obfuscated Script.f!58, open your antivirus application and update the virus definition file.
3. Start Windows in Safe Mode with Networking.
- From a power-off state, turn on the computer and press F8 on your keyboard repeatedly.
- Your computer will display Windows Advanced Boot Options menu. Please select Safe Mode with Networking.
- The system will now boot Windows and loads only necessary drivers and files.
4. Open your antivirus program and run a full system scan. After the scan, delete all infected items. If unable to delete, better place them in quarantine. Once the scan is complete, please proceed with the next step.
Scan with McAfee Stinger:
Stinger is a portable security tool that can detect and remove particular viruses. It utilizes a highly developed scan engine technology that includes process scanning and scan function optimization.
5. Go to McAfee Labs Stinger web page and download the tool. Save it to your desktop.
6. Once the download completes, double click on the file to run the program.
7. The Stinger main program will open.
8. Default directory to scan is the system drive (C:\). You may add additional drives to scan by clicking on Add button.
9. Click on Scan Now button to begin scanning assigned drives.
10. Stinger will now scan and repair/delete all infected files.
11. When done, you may now close McAfee Stinger and restart Windows in normal mode.
Namendra@SEO Indore
Jun 09, 2009 @ 14:26:03
Any solution for this. My many website are infected with this script.
Please help.
serendi
Jun 10, 2009 @ 01:29:42
There is no automatic removal for this threat. You may do the following:
1. Update your antivirus program and scan your computer thoroughly
2. If you have saved or cached FTP passwords, remove them. It is also advise to change your FTP passwords. The virus tends to infect your website via F T P using the accounts found on your computer.
3. When you have new FTP password, do not save them on your FTP application.
4. Go to your index.html or index.php files and remove any unwanted javascript lines. This unwanted script can be easily find because it contains a garbled characters.