As we all know there is a mass attack of /*LGPL*/ and /*Exception*/ type script on websites. I have seen plenty of websites infected with this type of infection and finally I decided to write a script to remove the codes inserted in files all over the server directories. As a new version of /*LGPL*/ and /*Exception*/ is out in wild. The code inserted in web pages after the BODY Tag or at end of Javascript files looks a bit like. <script>/*LGPL*/ try{ window.onload = function(){var C1nse3sk8o41s = document.createElement('s&c^$#r))i($p@&t^&'.repl <script>/*Exception*/ document.write(.....) <script>try{window.onload=function(){(.....) The SCRIPT tag above is not present in javascript(.js) files. Well it is just another type of IFRAMER worm. Once deobfuscated, it loads javascript from [http][POPULAR-DOMAIN-NAMES].easylifedirect.ru:8080/[POPULAR-DOMAIN-NAMES]/google.com/ This loaded Javascript then loads an iframe with src which contains actual payload [http][POPULAR-DOMAIN-NAMES].easylifedirect.ru:8080/index.php?ys some urls may also have "thechocolateweb.ru" or "trueworldmedia.ru" or "avattop.ru" in place of "easylifedirect.ru" The major files infected are Javascript files .JS and PHP, ASP, PL, CFM etc The javascript code seems to be changing since the day it launched and today morning I noticed that they have removed <script> tags in javascript files. The payload hasn't changed much from last year's attacks. When one visits a compromised site, the malicious JavaScript loads more JavaScript that contains an iframe tag, which opens another page containing two links. One link goes to a PDF file, which is detected as Trojan-Downloader.JS.a or Trojan-Downloader.JS.b or Trojan-Downloader.JS.c or Trojan-Downloader.JS.d. The other is to a JAR (Java ARchive) file, which is detected as Downloader. Those two files use the following vulnerabilities to infect the computer with malware: * Adobe Acrobat and Reader Multiple Arbitrary Code Execution and Security Vulnerabilities (BID 27641) * Adobe Reader and Acrobat 'newplayer()' JavaScript Method Remote Code Execution Vulnerability (BID 37331) * Sun Java Runtime Environment and Java Development Kit Multiple Security Vulnerabilities (BID 32608) The final payload includes malware like Trojan-Downloader.JAVA.Agent.al or Trojan-Downloader.JAVA.Agent.exe or Trojan.Bredolab, Downloader.Fostrem, and Trojan.Zbot, along with security risks such as PrivacyCenter and a number of other misleading applications that may be detected as Trojan.FakeAV. It's important to keep your definition files up-to-date as these files are frequently being updated. REMOVAL STEPS 1. Block these websites on your firewall or router: "thechocolateweb.ru" or "trueworldmedia.ru" or "avattop.ru" 2. Update your anti-virus and clean up infection from your machines or whoever is accessing it via FTP 3. Change the ftp password from secure machine which is not infected 4. upload the /*LGPL*/ clean up script to your public_html directory 5. run the script by calling the php file from your browser PRECAUTIONS 1. Block these websites on your firewall and/or router: "thechocolateweb.ru" or "trueworldmedia.ru" or "avattop.ru" 2. Keep your Anti-virus updated. 3. Do not open any suspicious links received on messengers or emails. It will clean up the files and will also create a backup of files which are infected. (backup files will have extension as .infected.bak)