The antivirus verdicts
- JS/ApndIfra-A
- JS/DwnLdr-HOO
- JS/IFrameHtm-A
- JS/IfrmInj-A
- JS/MalTxt-Gen
- JS/PDFLd-Gen
- JS/RefC-Gen
- JS/ScrLd-B
- JS/ScrLd-C
- JS/ScrLd-D
- JS/ScrLd-E
- JS/ScrObf-Gen
- JS/Sinowal-Gen
- JS/Sinowal-V
- JS/XIfr-Gen
- Mal/Badsrc-A
- Mal/Badsrc-C
- Mal/Badsrc-D
- Mal/Badsrc-E
- Mal/Badsrc-F
- Mal/Badsrc-K
- Mal/Badsrc-M
- Mal/ExpJS-AD
- Mal/HappJS-A
- Mal/Iframe-AA
- Mal/Iframe-AF
- Mal/Iframe-AJ
- Mal/Iframe-AN
- Mal/Iframe-F
- Mal/Iframe-Gen
- Mal/Iframe-I
- Mal/Iframe-M
- Mal/Iframe-N
- Mal/Iframe-O
- Mal/Iframe-Q
- Mal/Iframe-V
- Mal/Iframe-W
- Mal/Iframe-Y
- Mal/JSIfrLd-A
- Mal/JSRedir-D
- Mal/ObfJS-A
- Mal/ObfJS-AB
- Mal/ObfJS-X
- Mal/Psyme-E
- Mal/ScrLd-A
- Mal/Varcat-A
- Troj/AllAple-A
- Troj/Badsrc-B
- Troj/Badsrc-D
- Troj/Badsrc-G
- Troj/Badsrc-H
- Troj/Badsrc-L
- Troj/Badsrc-M
- Troj/Badsrc-O
- Troj/Bitget-A
- Troj/DecDec-A
- Troj/Dloadr-DLH
- Troj/ExpJS-FU
- Troj/Fujif-Gen
- Troj/Ifradv-A
- Troj/Iframe-AQ
- Troj/Iframe-BT
- Troj/Iframe-BW
- Troj/Iframe-CB
- Troj/Iframe-CG
- Troj/Iframe-DP
- Troj/Iframe-DQ
- Troj/Iframe-DR
- Troj/IFrame-DY
- Troj/Iframe-EA
- Troj/Iframe-EN
- Troj/Iframe-FB
- Troj/Iframe-GO
- Troj/Iframe-HF
- Troj/Iframe-HP
- Troj/Iframe-HX
- Troj/Iframe-IO
- Troj/Iframe-KX
- Troj/Iframe-Q
- Troj/JsDown-AH
- Troj/JSRedir-AK
- Troj/JSRedir-AR
- Troj/JSRedir-AU
- Troj/JSRedir-AZ
- Troj/JSRedir-BB
- Troj/JSRedir-BD
- Troj/JSRedir-BP
- Troj/JSRedir-DC
- Troj/JSRedir-DL
- Troj/JSRedir-DO
- Troj/JSRedir-DP
- Troj/JSRedir-DT
- Troj/JSRedir-EF
- Troj/JSRedir-FV
- Troj/JSRedir-GS
- Troj/JSRedir-GW
- Troj/JsRedir-HA
- Troj/JSRedir-HB
- Troj/JSRedir-HZ
- Troj/JSRedir-LH
- Troj/JSRedir-LR
- Troj/JSRedir-MH
- Troj/JSRedir-MN
- Troj/JSRedir-MX
- Troj/JSRedir-O
- Troj/JsRedir-OT
- Troj/JSRedir-R
- Troj/JSRedir-RX
- Troj/JSRedir-S
- Troj/ObfJS-O
- Troj/PDFEx-ET
- Troj/PhoexRef-A
- Troj/SEOImg-A
- Troj/SWFifra-A
- Troj/Thyself-A
- Troj/Unif-B
- Troj/WndRed-C
- VBS/Inor-AA
- VBS/Redlof-A
- Yandex/MalTds
- Yandex/MalWindows
- Yandex/MalAndroid
- Mobile redirect
- Undesirable programs
- Behavior analysis
If a verdict is missing from the list, use the Yandex generic instructions on treating an infected site.
JS/ApndIfra-A
This verdict means that the page contains obfuscated JavaScript code that, when executed, loads malicious JavaScript code from remote resources. This malicious code is usually contained in the onLoad
attribute of the body
element.
To remove malicious code from the server, follow our instructions.
Example of malicious code that is issued the verdict JS/ApndIfra-A:
The names of variables and functions in each specific case may differ from the ones given in the example.
JS/DwnLdr-HOO
This verdict means that the page contains obfuscated JavaScript code that, when executed, opens a pop-up ad window and loads malicious code from remote resources.
To remove malicious code from the server, follow our instructions.
Example of malicious code that is issued the verdict JS/DwnLdr-HOO:
The names of variables and functions in each specific case may differ from the ones given in the example.
JS/IFrameHtm-A
This verdict means that the page contains obfuscated JavaScript code that, when executed, adds an invisible iframe
element to the page, and the element loads malicious code from remote resources.
To remove malicious code from the server, follow our instructions.
Example of malicious code that is issued the verdict JS/IFrameHtm-A:
The names of variables and functions in each specific case may differ from the ones given in the example.
JS/IfrmInj-A
This verdict means that the page contains JavaScript code that, when executed, checks the version of the user's operating system and browser and also checks for specific cookies. Under certain conditions, the code adds an <iframe>
tag with the "width" and "height" attributes set to values from 0 to 3. The src
attribute of the tag contains a domain name that malware is distributed from.
To remove malicious code from the server, follow our instructions.
Example of malicious code that is issued the verdict JS/IfrmInj-A:
JS/MalTxt-Gen
This verdict means that the page contains obfuscated JavaScript code that, when executed, loads a script to distribute malware.
The script protects itself from decoding and analysis using textarea
, as it contains code to counteract deobfuscation, for example:
To remove malicious code from the server, follow our instructions.
Example of malicious code that is issued the verdict JS/MalTxt-Gen:
The names of variables and functions in each specific case may differ from the ones given in the example.
JS/PDFLd-Gen
This verdict means that malicious code (a set of exploits) was loaded from a remote resource when the page was opened. This usually happens due to the presence of malicious code in legitimately enabled JavaScript scenarios.
To remove malicious code from the server, follow our instructions.
Example of malicious code that is issued the verdict JS/PDFLd-Gen:
JS/RefC-Gen
This verdict means that the page contains obfuscated JavaScript code that, when executed, redirects the user to a site distributing malware if the user came to the infected site from a search engine.
To remove malicious code from the server, follow our instructions.
Example of malicious code that is issued the verdict JS/RefC-Gen:
The names of variables and functions in each specific case may differ from the ones given in the example.
JS/ScrLd-B
This verdict means that the page contains obfuscated JavaScript code that, when executed, loads a malicious script from a remote server.
To remove malicious code from the server, follow our instructions.
Example of malicious code that is issued the verdict JS/ScrLd-B:
Variable and function names may differ from those given in the example.
JS/ScrLd-C
This verdict means that the page contains obfuscated JavaScript code that, when executed, loads a malicious script from a remote server.
To remove malicious code from the server, follow our instructions.
Example of malicious code that is issued the verdict JS/ScrLd-C:
Variable and function names may differ from those given in the example.
JS/ScrLd-D
This verdict means that the page contains obfuscated JavaScript code that, when executed, loads a script from a remote server with malicious content.
To remove malicious code from the server, follow our instructions.
An example of code that results in the JS/ScrLd-D verdict:
Variable and function names may differ from those given in the example.
JS/ScrLd-E
This verdict means that the page contains obfuscated JavaScript code that, when executed, loads a malicious script from a remote server. Malware distributors try to make this malicious code harder to detect by using words that are not associated with malware in the names of variables and functions. For example, colors
.
To remove malicious code from the server, follow our instructions.
An example of code that results in the JS/ScrLd-E verdict:
The names of variables and functions in each specific case may differ from the ones given in the example.
JS/ScrObf-Gen
This verdict means that the page contains obfuscated JavaScript code that, when executed, adds an <iframe>
tag to the page. The src
attribute of the tag contains a domain name that malware is distributed from.
To remove malicious code from the server, follow our instructions.
Example of malicious code that is issued the verdict JS/ScrObf-Gen:
Variable and function names may differ from those given in the example.
JS/Sinowal-Gen
This verdict means that the page contains obfuscated JavaScript code that, when executed, loads a script that adds an <iframe>
tag to the page, with the "width" and "height" attributes set to values from 0 to 2. The src
attribute of the tag contains a domain name that malware is distributed from.
To remove malicious code from the server, follow our instructions.
Example of malicious code that is issued the verdict JS/Sinowal-Gen:
The names of variables and functions in each specific case may differ from the ones given in the example.
JS/Sinowal-V
This verdict means that the page contains obfuscated JavaScript code that, when executed, loads a script that adds an <iframe>
tag to the page, with the "width" and "height" attributes set to values from 0 to 2. The src
attribute of the tag contains a domain name that malware is distributed from.
To remove malicious code from the server, follow our instructions.
Example of malicious code that is issued the verdict JS/Sinowal-V:
where <skipped>
are skipped sections of malicious code that may differ significantly from instance to instance.
JS/XIfr-Gen
This verdict means that the page contains JavaScript code that, when executed, adds an <iframe>
tag to the page, with the width
and height
attributes set to values from 0 to 10. The src
attribute of the tag contains a domain name that malware is distributed from. The <iframe>
tag may include additional attributes such as frameborder=0
, style="VISIBILITY:hidden"
, style="display:none"
.
To remove malicious code from the server, follow our instructions.
Example of malicious code that is issued the verdict JS/XIfr-Gen:
Mal/Badsrc-A
This verdict means that the page contains code with a <script>
tag. The src
attribute of the tag contains a domain name that malware is distributed from. The script loaded in the src
attribute can end in the .php
or .js
extension.
To remove malicious code from the server, follow our instructions.
Example of malicious code that is issued the verdict Mal/Badsrc-A:
Mal/Badsrc-C
This verdict means that the page contains code with a <script>
tag. The src
attribute of the tag contains a domain name that malware is distributed from. The script loaded in the src
attribute can end in the .php
or .js
extension.
To remove malicious code from the server, follow our instructions.
Example of malicious code that is issued the verdict Mal/Badsrc-C:
Mal/Badsrc-D
This verdict means that the page contains code with a <script>
tag. The src
attribute of the tag contains a file with the .jpg
extension. The loaded script with the .jpg
extension usually contains malicious code.
To remove malicious code from the server, follow our instructions.
Example of malicious code that is issued the verdict Mal/Badsrc-D:
Mal/Badsrc-E
This verdict means that the page contains code with a <script>
tag. The src
attribute of the tag contains a domain name that malware is distributed from. The domain name is presented in HTML URL Encode format.
To remove malicious code from the server, follow our instructions.
Example of malicious code that is issued the verdict Mal/Badsrc-E:
Mal/Badsrc-F
This verdict means that the page contains code with a <script>
tag. The src
attribute of the tag contains a domain name that malware is distributed from.
To remove malicious code from the server, follow our instructions.
Example of malicious code that is issued the verdict Mal/Badsrc-F:
Mal/Badsrc-K
This verdict means that the page has JavaScript code from the traffbiz.ru partner network. During its execution, malicious JavaScript code is periodically loaded from a third-party site that distributes malware.
To remove malicious code from the server, follow our instructions.
Example of malicious code that is issued the verdict Mal/Badsrc-K:
Mal/Badsrc-M
This verdict means that the page contains code with a <script>
tag. The src
attribute of the tag contains a domain name that malware is distributed from. The script loaded in the src
attribute may end with the extension .php
and takes the necessary parameters set by the attacker. Often, the script is placed on the page before the </body></html>
closing tags.
To remove malicious code from the server, follow our instructions.
Example of malicious code that is issued the verdict Mal/Badsrc-M:
Mal/ExpJS-AD
This verdict means that the page contains obfuscated JavaScript code that, when executed, detects the version of the operating system, browser, and installed plugins, using this information to add an <iframe>
tag with the src
attribute that contains the URL of an intentionally infected file.
To remove malicious code from the server, follow our instructions.
Example of malicious code that is issued the verdict Mal/ExpJS-AD:
Variable and function names may differ from those given in the example.
Mal/HappJS-A
This verdict means that a script with the .js
extension has code that uses a JavaScript function (such as document.write
) to create a <script>
tag with the src
attribute. The src
attribute contains a domain name that malware is distributed from.
To remove malicious code from the server, follow our instructions.
Example of malicious code that is issued the verdict Mal/HappJS-A:
Mal/Iframe-AA
This code loads a malicious JavaScript script from a third-party resource of the format http://91.196.216.20/url.php
to the infected page's context. After the malicious script is loaded, in many cases (for example, for Internet Explorer), the user's device is attacked using various exploits. The code is obfuscated and specially designed against antivirus systems.
To remove malicious code from the server, follow our instructions.
Example of malicious code that is issued the verdict Mal/Iframe-AA:
Mal/Iframe-AF
This verdict means that the page contains obfuscated JavaScript code. When executed, the code adds an <iframe>
tag to the page. The src
attribute of the tag contains a domain name that malware is distributed from. Malicious code is added to all files with the extension .js
on the website.
To remove malicious code from the server, follow our instructions.
Example of malicious code that is issued the verdict Mal/Iframe-AF:
Variable and function names may differ from those given in the example.
Mal/Iframe-AJ
This verdict means that the page contains malicious JavaScript code that, when executed, adds an <iframe>
tag to the page. The src
attribute of the tag contains a domain name that malware is distributed from. The width and height of the added tag are usually less than 5 pixels.
To remove malicious code from the server, follow our instructions.
Example of malicious code that is issued the verdict Mal/Iframe-AJ:
Mal/Iframe-AN
This verdict means that the page contains an <iframe>
tag. The src
attribute of the tag contains the domain name of a host that malware is distributed from.
To remove malicious code from the server, follow our instructions.
Example of malicious code that is issued the verdict Mal/Iframe-AN:
Mal/Iframe-F
This verdict means that the page contains an <iframe>
tag with the width
and height
attributes set to values from 0 to 2, or JavaScript code that, when executed, adds this tag to the page. The src
attribute of the tag contains a domain name that malware is distributed from. The tag may include additional attributes such as frameborder=0
, style="VISIBILITY:hidden"
, or style="display:none"
.
To remove malicious code from the server, follow our instructions.
Example of malicious code that is issued the verdict Mal/Iframe-F:
Mal/Iframe-Gen
This verdict means that the page contains obfuscated JavaScript code. When this code is executed, the iframe
element is added to the page. The src
attribute contains a domain name that malware is distributed from. Other attributes conceal the created page element: frameborder=0
, style="VISIBILITY:hidden"
, style="display:none"
.
To remove malicious code from the server, follow our instructions.
Example of malicious code that is issued the verdict Mal/Iframe-Gen:
The code after the first deobfuscation stage:
The code after the second deobfuscation stage:
Variable and function names may differ from those given in the example.
Mal/Iframe-I
This verdict means that the page contains an <iframe>
tag with the width
and height
attributes set to values from 0 to 2. The src
attribute of the tag contains a domain name that malware is distributed from. The domain name is encoded using decimal or hexadecimal HTML entities. The tag may contain additional parameters such as frameborder=0
, style="VISIBILITY:hidden"
, style="display:none"
.
To remove malicious code from the server, follow our instructions.
Example of malicious code that is issued the verdict Mal/Iframe-I:
Mal/Iframe-M
This verdict means that the page contains an <iframe>
tag with the width
and height
attributes whose values are not zero. The src
attribute of the tag contains the domain name of a server that malware is distributed from. The tag may contain additional parameters such as style="visibility: hidden"
and border="0"
.
To remove malicious code from the server, follow our instructions.
Example of malicious code that is issued the verdict Mal/Iframe-M:
Mal/Iframe-N
This verdict means that the page contains an <iframe>
tag with the width
and height
attributes set to values from 0 to 2. The src
attribute of the tag contains a domain name that malware is distributed from. The tag may also contain event attributes whose values contain malicious code.
To remove malicious code from the server, follow our instructions.
Example of malicious code that is issued the verdict Mal/Iframe-N:
Mal/Iframe-O
This verdict means that the page contains an <iframe>
tag with the width
and height
attributes set to values greater than zero. The src
attribute of the tag contains a domain name that malware is distributed from.
To remove malicious code from the server, follow our instructions.
Example of malicious code that is issued the verdict Mal/Iframe-O:
Mal/Iframe-Q
This verdict means that the page contains an <iframe>
tag with the width
and height
attributes set to values from 0 to 2. The src
attribute of the tag contains a domain name that malware is distributed from. The tag may have additional attributes such as frameborder=0
, style="VISIBILITY:hidden"
, style="display:none"
.
To remove malicious code from the server, follow our instructions.
Example of malicious code that is issued the verdict Mal/Iframe-Q:
Mal/Iframe-V
This verdict means that the page contains an <iframe>
tag with the width
and height
attributes set to values from 0 to 2. The src
attribute of the tag contains a domain name that malware is distributed from. The tag may have additional attributes such as frameborder=0
, style="VISIBILITY:hidden"
, style="display:none"
.
To remove malicious code from the server, follow our instructions.
Example of malicious code that is issued the verdict Mal/Iframe-V:
Mal/Iframe-W
This verdict means that the page contains an <iframe>
tag with the width
and height
attributes set to values from 0 to 2, or JavaScript code that, when executed, adds this tag to the page. The src
attribute of the tag contains a domain name that malware is distributed from. The tag may have additional attributes such as frameborder=0
, style="VISIBILITY:hidden"
, style="display:none"
.
To remove malicious code from the server, follow our instructions.
Example of malicious code that is issued the verdict Mal/Iframe-W:
Mal/Iframe-Y
This verdict means that the page contains an <iframe>
tag with the width
and height
attributes set to values greater than zero. The src
attribute of the tag contains a domain name that malware is distributed from. The tag may have additional attributes such as frameborder=0
, style="VISIBILITY:hidden"
, style="display:none"
. The iframe can also be added to the page dynamically by executing JavaScript code.
To remove malicious code from the server, follow our instructions.
Example of malicious code that is issued the verdict Mal/Iframe-Y:
Mal/JSIfrLd-A
This verdict means that the page contains obfuscated JavaScript code that, when executed, adds an <iframe>
tag to the page. The src
attribute of the tag contains a domain name that malware is distributed from. Other attributes of the tag ensure that the created page element remains hidden.
To remove malicious code from the server, follow our instructions.
Example of malicious code that is issued the verdict Mal/JSIfrLd-A:
Variable and function names may differ from those given in the example.
Mal/JSRedir-D
This verdict means that the page contains obfuscated JavaScript code redirecting the user to a site that distributes malware.
To remove malicious code from the server, follow our instructions.
Example of malicious code that is issued the verdict Mal/JSRedir-D:
Variable and function names may differ from those given in the example.
Mal/ObfJS-A
This verdict means that the page contains obfuscated JavaScript code that, when executed, results in malicious activity. Most often, after the script is executed, an <iframe>
tag is created. The src
attribute of the tag contains a domain name that malware is distributed from.
To remove malicious code from the server, follow our instructions.
Example of malicious code that is issued the verdict Mal/ObfJS-A:
Variable and function names may differ from those given in the example.
Mal/ObfJS-AB
This verdict means that the page contains obfuscated JavaScript code that, when executed, results in malicious activity. Most often, after the script is executed, an <iframe>
tag is created. The src
attribute of the tag contains a domain name that malware is distributed from.
To remove malicious code from the server, follow our instructions.
Example of malicious code that is issued the verdict Mal/ObfJS-AB:
Variable and function names may differ from those given in the example.
Mal/ObfJS-X
This verdict means that the page contains obfuscated JavaScript code that, when executed, results in malicious activity. Most often, after the script is executed, an <iframe>
tag is created. The src
attribute of the tag contains a domain name that malware is distributed from.
To remove malicious code from the server, follow our instructions.
Example of malicious code that is issued the verdict Mal/ObfJS-X:
Variable and function names may differ from those given in the example.
Mal/Psyme-E
This verdict means that the page contains obfuscated JavaScript code that, when executed, adds an <iframe>
tag to the page, with the width
and height
attributes set to values from 0 to 2. The src
attribute of the tag contains a domain name that malware is distributed from.
To remove malicious code from the server, follow our instructions.
Example of malicious code that is issued the verdict Mal/Psyme-E:
The names of variables and functions in each specific case may differ from the ones given in the example.
Mal/ScrLd-A
This verdict means that the page contains obfuscated JavaScript code that, when the mouse is moved, loads a script with malware on the page. The code is added to all files with the .js
extension on the website.
To remove malicious code from the server, follow our instructions.
Example of malicious code that is issued the verdict Mal/ScrLd-A:
The names of variables and functions in each specific case may differ from the ones given in the example.
Mal/Varcat-A
This verdict means that the page contains obfuscated JavaScript code that, when executed, adds an <iframe>
tag to the page, with the width
and height
attributes set to values from 0 to 2. The src
attribute of the tag contains a domain name that malware is distributed from.
In addition to the attributes shown above, the <iframe>
tag can also include extra attributes such as: frameborder="0"
и style="visibility: hidden;"
.
To remove malicious code from the server, follow our instructions.
Example of malicious code that is issued the verdict Mal/Varcat-A:
The names of variables and functions in each specific case may differ from the ones given in the example.
Troj/AllAple-A
Troj/Allaple-A — is a backdoor for the Windows platform. The trojan copies itself to different directories with a randomly generated file name of eight bytes, extracts malicious DLL files from its body, and places them in the Windows system directory. When the system is infected, the following line appears in the contents of all HTML files: <OBJECT type="application/x-oleobject"CLASSID="CLSID(randomly generated CLSID)"></OBJECT>
.
To remove malicious code from the server, follow our instructions.
Example of malicious code that is issued the verdict Troj/AllAple-A:
Troj/Badsrc-B
This verdict means that the page contains a <script>
tag. The src
attribute of the tag contains a domain name that malware is distributed from. The script is loaded on the page from a URI ending in .js
.
To remove malicious code from the server, follow our instructions.
Example of malicious code that is issued the verdict Troj/Badsrc-B:
Troj/Badsrc-D
This verdict means that the page contains JavaScript code that, when executed, adds a <script>
tag to the page. The src
attribute of the tag contains a domain name that malware is distributed from.
To remove malicious code from the server, follow our instructions.
Example of malicious code that is issued the verdict Troj/Badsrc-D:
The names of variables and functions in each specific case may differ from the ones given in the example.
Troj/Badsrc-G
This verdict means that the page contains a <script>
tag. The src
attribute of the tag contains a domain name that malware is distributed from. The script is loaded on the page from a URI ending in .js
.
To remove malicious code from the server, follow our instructions.
Example of malicious code that is issued the verdict Troj/Badsrc-G:
Troj/Badsrc-H
This verdict means that the page contains JavaScript code that, when executed, adds a <script>
tag to the page. The src
attribute of the tag contains a domain name that malware is distributed from.
To remove malicious code from the server, follow our instructions.
Example of malicious code that is issued the verdict Troj/Badsrc-H:
The names of variables and functions in each specific case may differ from the ones given in the example.
Troj/Badsrc-L
This verdict means that the page contains a <script>
tag. The src
attribute of the tag contains a domain name that malware is distributed from. The script is loaded on the page from a URI ending in .php
.
To remove malicious code from the server, follow our instructions.
Example of malicious code that is issued the verdict Troj/Badsrc-L:
Troj/Badsrc-M
This verdict means that the page contains a <script>
tag. The src
attribute of the tag contains a domain name that malware is distributed from. The script to load in the src
attribute may end in the .js
extension. In most cases, the script is placed after the </html>
tag.
To remove malicious code from the server, follow our instructions.
Example of malicious code that is issued the verdict Troj/Badsrc-M:
Troj/Badsrc-O
This verdict means that the page contains a <script>
tag. The src
attribute of the tag contains a domain name that malware is distributed from. The script is loaded on the page from a URI ending in .php
.
To remove malicious code from the server, follow our instructions.
Example of malicious code that is issued the verdict Troj/Badsrc-O:
Troj/Bitget-A
This verdict means that the page contains obfuscated JavaScript code that, when executed, adds an <iframe>
tag to the page, with the width
and height
attributes set to values from 0 to 2. The src
attribute of the tag contains a domain name that malware is distributed from.
To remove malicious code from the server, follow our instructions.
Example of malicious code that is issued the verdict Troj/Bitget-A:
Troj/DecDec-A
This verdict means that the page contains obfuscated JavaScript code that, when executed, results in malicious activity. Most often, after the script is executed, an <iframe>
tag is created. The src
attribute of the tag contains a domain name that malware is distributed from.
To remove malicious code from the server, follow our instructions.
Example of malicious code that is issued the verdict Troj/DecDec-A:
The names of variables and functions in each specific case may differ from the ones given in the example.
Troj/Dloadr-DLH
This verdict means that the page contains JavaScript code that, when executed, adds an <iframe>
tag to the page, with the width
and height
attributes set to values from 0 to 10. The src
attribute of the tag contains a domain name that malware is distributed from. The tag may have additional attributes such as frameborder=0
, style="VISIBILITY:hidden"
, style="display:none"
.
To remove malicious code from the server, follow our instructions.
Example of malicious code that is issued the verdict Troj/Dloadr-DLH:
Troj/ExpJS-FU
This verdict means that the page contains obfuscated JavaScript code that, when executed, loads resources with malware. Usually, the resources are loaded by adding the <applet>
and <iframe>
tags.
To remove malicious code from the server, follow our instructions.
Example of malicious code that is issued the verdict Troj/ExpJS-FU:
Troj/Fujif-Gen
This verdict means that the page contains an <iframe>
tag with the width
and height
attributes set to values from 0 to 2. The src
attribute of the tag contains a domain name that malware is distributed from. The tag may have additional attributes such as frameborder="0"
and style="height:1px"
.
To remove malicious code from the server, follow our instructions.
Example of malicious code that is issued the verdict Troj/Fujif-Gen:
Troj/Ifradv-A
This verdict means that the page contains an <iframe>
tag with the width
and height
attributes set to values from 0 to 2. The src
attribute of the tag contains a domain name that malware is distributed from. The URL of this malicious code contains the adv
substring.
To remove malicious code from the server, follow our instructions.
Example of malicious code that is issued the verdict Troj/Ifradv-A:
Troj/Iframe-AQ
This verdict means that the page contains obfuscated JavaScript code that, when executed, adds an <iframe>
tag to the page, with the width
and height
attributes set to values from 0 to 3. The src
attribute of the tag contains a domain name that malware is distributed from.
To remove malicious code from the server, follow our instructions.
Example of malicious code that is issued the verdict Troj/Iframe-AQ:
The names of variables and functions in each specific case may differ from the ones given in the example.
Troj/Iframe-BT
This verdict means that the page contains an invisible iframe
element that loads malicious code from remote resources. This element is usually placed at the end of the page.
To remove malicious code from the server, follow our instructions.
Example of malicious code that is issued the verdict Troj/Iframe-BT:
Troj/Iframe-BW
This verdict means that the page contains an <iframe>
tag with the width
and height
attributes set to values from 0 to 2. The src
attribute of the tag contains a domain name that malware is distributed from. The tag may contain additional attributes such as frameborder=0
, style="VISIBILITY:hidden"
, style="visibility:hidden;position:absolute"
.
To remove malicious code from the server, follow our instructions.
Examples of malicious code that is issued the verdict Troj/Iframe-BW:
Troj/Iframe-CB
This verdict means that the page contains an <iframe>
tag with the width
and height
attributes whose values are not zero. The src
attribute of the tag contains a domain name that malware is distributed from.
In addition, the <iframe>
has the style="border: 0px none; position: relative; top: 0px; left: -500px; opacity: 0;"
attribute.
To remove malicious code from the server, follow our instructions.
Example of malicious code that is issued the verdict Troj/Iframe-CB:
Troj/Iframe-CG
This verdict means that the page contains obfuscated JavaScript code that, when executed, adds an <iframe>
tag to the page. The src
attribute of the tag contains a domain name that malware is distributed from.
To remove malicious code from the server, follow our instructions.
Example of malicious code that is issued the verdict Troj/Iframe-CG:
Troj/Iframe-DP
This verdict means that the page contains obfuscated JavaScript code that, when executed, adds an <iframe>
tag to the page, with the width
and height
attributes set to values from 0 to 2. The src
attribute of the tag contains a domain name that malware is distributed from.
To remove malicious code from the server, follow our instructions.
Example of malicious code that is issued the verdict Troj/Iframe-DP:
The names of variables and functions in each specific case may differ from the ones given in the example.
Troj/Iframe-DQ
This verdict means that the page contains obfuscated JavaScript code that, when executed, adds an <iframe>
tag to the page. The src
attribute of the tag contains a domain name that malware is distributed from.
To remove malicious code from the server, follow our instructions.
Example of malicious code that is issued the verdict Troj/Iframe-DQ:
Troj/Iframe-DR
This verdict means that the page contains JavaScript code that, when executed, adds an <iframe>
tag to the page, with the width
and height
attributes set to values from 0 to 10. The src
attribute of the tag contains a domain name that malware is distributed from. The tag may have additional attributes such as frameborder=0
, style="VISIBILITY:hidden"
, style="display:none"
.
To remove malicious code from the server, follow our instructions.
Example of malicious code that is issued the verdict Troj/Iframe-DR:
Troj/IFrame-DY
This verdict means that the page contains obfuscated JavaScript code that, when executed, adds an invisible iframe element to the page, which then loads malicious code from remote resources.
To remove malicious code from the server, follow our instructions.
Example of malicious code that is issued the verdict Troj/Iframe-DY:
The names of variables and functions in each specific case may differ from the ones given in the example.
Troj/Iframe-EA
This verdict means that the page contains obfuscated JavaScript code that, when executed, adds an <iframe>
tag to the page, with the width
and height
attributes set to values from 0 to 2. The src
attribute of the tag contains a domain name that malware is distributed from.
To remove malicious code from the server, follow our instructions.
Example of malicious code that is issued the verdict Troj/Iframe-EA:
Troj/Iframe-EN
This verdict means that the page contains JavaScript code that, when executed, adds an <iframe>
tag to the page, with the width
and height
attributes set to values from 0 to 2. The src
attribute of the tag contains a domain name that malware is distributed from.
To remove malicious code from the server, follow our instructions.
Example of malicious code that is issued the verdict Troj/Iframe-EN:
Troj/Iframe-FB
This verdict means that the page contains JavaScript code that, when executed, adds an <iframe>
tag to the page, with the width
and height
attributes set to values from 0 to 2. The src
attribute of the tag contains a domain name that malware is distributed from. The tag may have additional attributes such as frameborder=0
, style="VISIBILITY:hidden"
, style="display:none"
.
To remove malicious code from the server, follow our instructions.
Example of malicious code that is issued the verdict Troj/Iframe-FB:
Troj/Iframe-GO
This verdict means that the page contains an <iframe>
tag with the width
and height
attributes set to values from 0 to 2. The src
attribute of the tag contains a domain name that malware is distributed from.
To remove malicious code from the server, follow our instructions.
Example of malicious code that is issued the verdict Troj/Iframe-GO:
Troj/Iframe-HF
This verdict means that the page contains JavaScript code that, when executed, adds an <iframe>
tag with values from 0 to 2. The src
attribute of the tag contains a domain name that malware is distributed from. The tag may have additional attributes such as frameborder=0
, style="VISIBILITY:hidden"
, style="display:none"
. In most cases, the malicious code can be found in multiple places in the middle of the HTML document.
To remove malicious code from the server, follow our instructions.
Example of malicious code that is issued the verdict Troj/Iframe-HF:
Troj/Iframe-HP
This verdict means that the page contains a small iframe element that loads malicious code from remote resources. Usually, this element is located before the </body>
closing tag
To remove malicious code from the server, follow our instructions.
Example of malicious code that is issued the verdict Troj/Iframe-HP:
Troj/Iframe-HX
This verdict means that the page contains an <iframe>
tag. The src
attribute of the tag contains a domain name that malware is distributed from. The tag also has the attribute style="visibility: hidden; display: none; display: none;"
.
To remove malicious code from the server, follow our instructions.
Example of malicious code that is issued the verdict Troj/Iframe-HX:
Troj/Iframe-IO
This verdict means that the page contains malicious JavaScript code that, when executed, adds an <iframe>
tag to the page. The src
attribute of the tag contains a domain name that malware is distributed from. When using styles, the tag is usually placed outside the visible area of the page.
To remove malicious code from the server, follow our instructions.
Example of malicious code that is issued the verdict Troj/Iframe-IO:
Troj/Iframe-KX
This verdict means that the page contains malicious JavaScript code that, when executed, adds an <iframe>
tag to the page. The src
attribute of the tag contains a domain name that malware is distributed from. When using styles, the tag is usually placed outside the visible area of the page.
To remove malicious code from the server, follow our instructions.
Example of malicious code that is issued the verdict Troj/Iframe-KX:
Troj/Iframe-Q
This verdict means that the page contains an <iframe>
tag with the width
and height
attributes set to values from 0 to 2. The src
attribute of the tag contains a domain name that malware is distributed from. The tag may have additional attributes such as frameborder=0
, style="VISIBILITY:hidden"
, style="display:none"
.
To remove malicious code from the server, follow our instructions.
Example of malicious code that is issued the verdict Troj/Iframe-Q:
Troj/JsDown-AH
This verdict means that the page contains obfuscated JavaScript code that, when executed, adds an <iframe>
to the page. The src
attribute of the tag contains a domain name that malware is distributed from. This code is usually appended to the end of all files with scripts that are loaded on the page.
To remove malicious code from the server, follow our instructions.
Example of malicious code that is issued the verdict Troj/JsDown-AH:
The names of variables and functions in each specific case may differ from the ones given in the example.
Troj/JSRedir-AK
This verdict means that the page contains obfuscated JavaScript code that, when executed, redirects the user to a site distributing malware.
To remove malicious code from the server, follow our instructions.
Example of malicious code that is issued the verdict Troj/JSRedir-AK:
The names of variables and functions in each specific case may differ from the ones given in the example.
Troj/JSRedir-AR
This verdict means that the page contains obfuscated JavaScript code that, when executed, redirects the user to a site distributing malware.
To remove malicious code from the server, follow our instructions.
Example of malicious code that is issued the verdict Troj/JSRedir-AR:
The names of variables and functions in each specific case may differ from the ones given in the example.
Troj/JSRedir-AU
This verdict means that the page contains obfuscated JavaScript code that, when executed, redirects the user to a site distributing malware.
To remove malicious code from the server, follow our instructions.
Example of malicious code that is issued the verdict Troj/JSRedir-AU:
The names of variables and functions in each specific case may differ from the ones given in the example.
Troj/JSRedir-AZ
This verdict means that the page contains obfuscated JavaScript code that, when executed, redirects the user to a site distributing malware. Such code is typically placed in a separate file with the .js
extension.
To remove malicious code from the server, follow our instructions.
Example of malicious code that is issued the verdict Troj/JSRedir-AZ:
The names of variables and functions in each specific case may differ from the ones given in the example.
Troj/JSRedir-BB
This verdict means that the page contains obfuscated JavaScript code that, when executed, redirects the user to a site distributing malware.
To remove malicious code from the server, follow our instructions.
Example of malicious code that is issued the verdict Troj/JSRedir-BB:
The names of variables and functions in each specific case may differ from the ones given in the example.
Troj/JSRedir-BD
This verdict means that the page contains obfuscated JavaScript code that, when executed, redirects the user to a site distributing malware.
To remove malicious code from the server, follow our instructions.
Example of malicious code that is issued the verdict Troj/JSRedir-BD:
The names of variables and functions in each specific case may differ from the ones given in the example.
Troj/JSRedir-BP
This verdict means that the page contains obfuscated JavaScript code that, when executed, loads resources containing malicious content or redirects the user to a malicious site.
To remove malicious code from the server, follow our instructions.
Example of malicious code that is issued the verdict Troj/JSRedir-BP:
Troj/JSRedir-DC
This verdict means that the page contains obfuscated JavaScript code that, when executed, loads malicious JavaScript code from remote resources.
To remove malicious code from the server, follow our instructions.
Example of malicious code that is issued the verdict Troj/JSRedir-DC:
The names of variables and functions in each specific case may differ from the ones given in the example.
Troj/JSRedir-DL
This verdict means that the page contains obfuscated JavaScript code that, when executed, redirects the user to a site distributing malware.
To remove malicious code from the server, follow our instructions.
Example of malicious code that is issued the verdict Troj/JSRedir-DL:
The names of variables and functions in each specific case may differ from the ones given in the example.
Troj/JSRedir-DO
This verdict means that the page contains obfuscated JavaScript code that, when executed, redirects the user to a site distributing malware.
To remove malicious code from the server, follow our instructions.
Example of malicious code that is issued the verdict Troj/JSRedir-DO:
The names of variables and functions in each specific case may differ from the ones given in the example.
Troj/JSRedir-DP
This verdict means that the page contains obfuscated JavaScript code that, when executed, redirects the user to a site distributing malware.
To remove malicious code from the server, follow our instructions.
Example of malicious code that is issued the verdict Troj/JSRedir-DP:
The names of variables and functions in each specific case may differ from the ones given in the example.
Troj/JSRedir-DT
This verdict means that the page contains obfuscated JavaScript code that, when executed, redirects the user to a site distributing malware.
To remove malicious code from the server, follow our instructions.
Example of malicious code that is issued the verdict Troj/JSRedir-DT:
The names of variables and functions in each specific case may differ from the ones given in the example.
Troj/JSRedir-EF
This verdict means that the page contains obfuscated JavaScript code that, when executed, redirects the user to a site distributing malware.
To remove malicious code from the server, follow our instructions.
Example of malicious code that is issued the verdict Troj/JSRedir-EF:
The names of variables and functions in each specific case may differ from the ones given in the example.
Troj/JSRedir-FV
This verdict means that the page contains obfuscated JavaScript code that, when the mouse is moved, loads a script with malware on the page. The code is added to all files with the .js
extension on the website.
To remove malicious code from the server, follow our instructions.
Example of malicious code that is issued the verdict Troj/JSRedir-FV:
Troj/JSRedir-GS
This verdict means that the page contains obfuscated JavaScript code that, when executed, redirects the user to a site distributing malware.
To remove malicious code from the server, follow our instructions.
Example of malicious code that is issued the verdict Troj/JSRedir-GS:
The names of variables and functions in each specific case may differ from the ones given in the example.
Troj/JSRedir-GW
This verdict means that the page contains JavaScript objects that link to malicious code from remote resources. These elements usually end up in the site’s database (within articles, comments, and so on) due to insufficient filtering of user input data.
To remove malicious code from the server, follow our instructions.
Example of malicious code that is issued the verdict Troj/JSRedir-GW:
Troj/JsRedir-HA
This verdict means that the page contains obfuscated JavaScript code that, when executed, loads resources with malicious content or redirects the user to a malicious site.
To remove malicious code from the server, follow our instructions.
Example of malicious code that is issued the verdict Troj/JSRedir-HA:
Troj/JSRedir-HB
This verdict means that the page contains obfuscated JavaScript code that, when executed, redirects the user to a site distributing malware.
To remove malicious code from the server, follow our instructions.
Example of malicious code that is issued the verdict Troj/JSRedir-HB:
The names of variables and functions in each specific case may differ from the ones given in the example.
Troj/JSRedir-HZ
This verdict means that the page contains obfuscated JavaScript code that, when executed, loads resources containing malicious content or redirects the user to a malicious site.
To remove malicious code from the server, follow our instructions.
Example of malicious code that is issued the verdict Troj/JSRedir-HZ:
Troj/JSRedir-LH
This verdict means that the page markup contains JavaScript code that, when executed, redirects the user to a website distributing malware. Most often, such code is inserted at the beginning of all .js files on the site.
Example of malicious code that is issued the verdict Troj/JSRedir-LH:
The names of variables and functions in each specific case may differ from the ones given in the example.
In this type of infection, sites often contain malicious PHP code like , which also must be removed in order to avoid re-infection.
To remove malicious code from the server, follow our instructions.
Troj/JSRedir-LR
This verdict means that the page contains obfuscated JavaScript code. Malicious code is added to one of the files with .js
extension on the website.
To remove malicious code from the server, follow our instructions.
Example of malicious code that is issued the verdict Troj/JSRedir-LR:
The names of variables and functions in each specific case may differ from the ones given in the example.
Troj/JSRedir-MH
This verdict means that the site contains JavaScript code that loads a malicious .swf object which downloads exploits to website visitors. Typically, attackers place this code in a separate .js file on a compromised server.
To remove malicious code from the server, follow our instructions.
Example of malicious code that is issued the verdict Troj/JSRedir-MH:
Troj/JSRedir-MN
This verdict means that the site contains JavaScript code that loads a malicious .swf object which downloads exploits to website visitors. Typically, attackers place this code in a separate .js file on a compromised server.
To remove malicious code from the server, follow our instructions.
Example of malicious code that is issued the verdict Troj/JSRedir-MN:
Troj/JSRedir-MX
This verdict means that the page contains malicious JavaScript code that adds an <iframe>
element to the page. The src
attribute contains a domain name that malware is distributed from. Mobile browsers when executing this code are redirected to malicious sites.
To remove malicious code from the server, follow our instructions.
Example of malicious code that is issued the verdict Troj/JSRedir-MX:
The names of variables and functions in each specific case may differ from the ones given in the example.
Troj/JSRedir-O
This verdict means that the page contains obfuscated JavaScript code that, when executed, redirects the user to a site distributing malware.
To remove malicious code from the server, follow our instructions.
Example of malicious code that is issued the verdict Troj/JSRedir-O:
The names of variables and functions in each specific case may differ from the ones given in the example.
Troj/JsRedir-OT
This verdict means that the page contains a script
tag with the src
attribute specifying the domain name of a server that distributes malware. The loaded script adds the <iframe>
tag, usually placed outside of the visible page area.
To remove malicious code from the server, follow our instructions.
Example of malicious code that is issued the verdict Troj/JSRedir-OT:
Troj/JSRedir-R
This verdict means that the page contains obfuscated JavaScript code that, when executed, redirects the user to a site distributing malware in the .cn
domain zone.
To remove malicious code from the server, follow our instructions.
Example of malicious code that is issued the verdict Troj/JSRedir-R:
The names of variables and functions in each specific case may differ from the ones given in the example.
Troj/JSRedir-RX
This verdict means that the page contains JavaScript code that, when executed, redirects the user to a site distributing malware. The code contains a URI (Universal Resource Identifier) in the src
attribute, usually ending with jquery.min.php
.
To remove malicious code from the server, follow our instructions.
Example of malicious code that is issued the verdict Troj/JSRedir-AK:
The names of variables and functions in each specific case may differ from the ones given in the example.
Troj/JSRedir-S
This verdict means that the page contains obfuscated JavaScript code that, when executed, redirects the user to a site distributing malware. This verdict is usually issued to sites (or a chain of sites) that distribute fake antivirus programs.
To remove malicious code from the server, follow our instructions.
Example of malicious code that is issued the verdict Troj/JSRedir-S:
The names of variables and functions in each specific case may differ from the ones given in the example.
Troj/ObfJS-O
This verdict means that the page contains obfuscated JavaScript code that, when executed, loads resources containing malicious content or redirects the user to a malicious site.
To remove malicious code from the server, follow our instructions.
Example of malicious code that is issued the verdict Troj/ObfJS-O:
Troj/PDFEx-ET
This verdict means that the page or scripts loaded on it contain JavaScript code that, when executed, adds an <iframe>
tag to the page. The src
attribute of the tag contains a domain name that malware is distributed from.
To remove malicious code from the server, follow our instructions.
Example of malicious code that is issued the verdict Troj/PDFEx-ET:
The names of variables and functions in each specific case may differ from the ones given in the example.
Troj/PhoexRef-A
This verdict means that the page contains obfuscated JavaScript code that, when the mouse is moved, loads a script with malware on the page. This code is added to all files with the .js
extension on the website.
To remove malicious code from the server, follow our instructions.
Example of malicious code that is issued the verdict Troj/PhoexRef-A:
The names of variables and functions in each specific case may differ from the ones given in the example.
Troj/SEOImg-A
This verdict means that the page contains JavaScript code that redirects the user’s browser to a page with a script distributing malware.
To remove malicious code from the server, follow our instructions.
Example of malicious code that is issued the verdict Troj/SEOImg-A:
Troj/SWFifra-A
This verdict means that an SWF file with an <iframe>
tag is loaded on the page. The src
attribute of the tag contains a domain name that malware is distributed from.
To remove malicious code from the server, follow our instructions.
Example of malicious code that is issued the verdict Troj/SWFifra-A:
Troj/Thyself-A
This verdict means that the page contains JavaScript code that, when executed, adds an <iframe>
tag to the page, with the width
and height
attributes set to values from 0 to 10. The src
attribute of the tag contains a domain name that malware is distributed from. The tag may have additional attributes such as frameborder=0
, style="VISIBILITY:hidden"
, style="display:none"
.
To remove malicious code from the server, follow our instructions.
Example of malicious code that is issued the verdict Troj/Thyself-A:
Troj/Unif-B
This verdict means that the page contains obfuscated JavaScript code that, when executed, redirects the user to a site distributing malware.
To remove malicious code from the server, follow our instructions.
Example of malicious code that is issued the verdict Troj/Unif-B:
The names of variables and functions in each specific case may differ from the ones given in the example.
Troj/WndRed-C
This verdict means that the page contains obfuscated JavaScript code that, when executed, redirects the user to a site distributing malware.
To remove malicious code from the server, follow our instructions.
Example of malicious code that is issued the verdict Troj/WndRed-C:
The names of variables and functions in each specific case may differ from the ones given in the example.
VBS/Inor-AA
This verdict means that the page contains VBScript code that, if successfully executed, creates and runs an executable file on the user’s computer.
To remove malicious code from the server, follow our instructions.
Example of malicious code that is issued the verdict VBS/Inor-AA:
Note: <bin>
stands for the contents of the executable file in the hexadecimal notation.
VBS/Redlof-A
This verdict means that the page contains obfuscated VBScript code that, if successfully executed, creates and runs an executable file on the user’s computer.
To remove malicious code from the server, follow our instructions.
Example of malicious code that is issued the verdict VBS/Redlof-A:
Yandex/MalTds
This verdict means that the page contains an <iframe>
tag with the width
and height
attributes set to values from 0 to 2, or JavaScript code that, when executed, adds this tag to the page. The src
attribute of the tag contains a domain name that malware is distributed from. The tag contains additional attributes: frameborder=0
, style="VISIBILITY:hidden"
, style="display:none"
.
To remove malicious code from the server, follow our instructions.
Example of malicious code that is issued the verdict Yandex/MalTds:
Yandex/MalWindows
This verdict means that the page contains links to download malicious software for the Microsoft Windows OS.
Yandex/MalAndroid
This verdict means that the page contains links to download malicious software for the Android OS.
Mobile redirect
This verdict means that the Yandex antivirus bot detected a mobile redirect when checking the site’s pages. A mobile redirect means that the user is redirected to a third-party site when trying to view a page on the source site from a mobile device (for example, a phone).
Such redirects usually take users to sites that distribute malicious or fraudulent software (for example, disguised as a web browser update). Downloading and installing such programs may cause the mobile device to be infected.
Mobile redirects can be configured in the .htaccess file, including the one provided with the CMS. They can also appear because of a server-side backdoor script.
Mobile redirects can be configured in the .htaccess file, including the one provided with your CMS. They can also appear because of the server-side backdoor script.
To remove malicious code from the server, follow our instructions.
Undesirable programs
The last check showed that the site has files or links to files that have had extra software added. This could happen either with the site owners’ consent or without their knowledge as a result of malicious actions.
Additional software may include dubious programs that can harm the computer, change settings, or disrupt the operation of other software.
Such sites are displayed in search results with the notification "Be careful when downloading files from this site". Links to files (or the files themselves) containing undesirable software should be removed from the site. If they are not detected during the next scan, the warning will be removed from the search results.
Behavior analysis
The Yandex antivirus robot analyzes the behavior of JavaScript code and other active elements when scanning pages.
If the malicious Java applet detector or malicious PDF document detector finds an attempt to exploit a vulnerability to execute malicious code, the page is considered dangerous for the users.
If active elements behave according to the heuristic rules characteristic for the drive-by-download attacks, or if the check finds that page attempts to exploit vulnerabilities to execute malicious code, the page is considered dangerous for the users.
To remove malicious code from the server, follow our instructions.