The antivirus verdicts

If a verdict is missing from the list, use the Yandex generic instructions on treating an infected site.

  1. JS/ApndIfra-A
  2. JS/DwnLdr-HOO
  3. JS/IFrameHtm-A
  4. JS/IfrmInj-A
  5. JS/MalTxt-Gen
  6. JS/PDFLd-Gen
  7. JS/RefC-Gen
  8. JS/ScrLd-B
  9. JS/ScrLd-C
  10. JS/ScrLd-D
  11. JS/ScrLd-E
  12. JS/ScrObf-Gen
  13. JS/Sinowal-Gen
  14. JS/Sinowal-V
  15. JS/XIfr-Gen
  16. Mal/Badsrc-A
  17. Mal/Badsrc-C
  18. Mal/Badsrc-D
  19. Mal/Badsrc-E
  20. Mal/Badsrc-F
  21. Mal/Badsrc-K
  22. Mal/Badsrc-M
  23. Mal/ExpJS-AD
  24. Mal/HappJS-A
  25. Mal/Iframe-AA
  26. Mal/Iframe-AF
  27. Mal/Iframe-AJ
  28. Mal/Iframe-AN
  29. Mal/Iframe-F
  30. Mal/Iframe-Gen
  31. Mal/Iframe-I
  32. Mal/Iframe-M
  33. Mal/Iframe-N
  34. Mal/Iframe-O
  35. Mal/Iframe-Q
  36. Mal/Iframe-V
  37. Mal/Iframe-W
  38. Mal/Iframe-Y
  39. Mal/JSIfrLd-A
  40. Mal/JSRedir-D
  41. Mal/ObfJS-A
  42. Mal/ObfJS-AB
  43. Mal/ObfJS-X
  44. Mal/Psyme-E
  45. Mal/ScrLd-A
  46. Mal/Varcat-A
  47. Troj/AllAple-A
  48. Troj/Badsrc-B
  49. Troj/Badsrc-D
  50. Troj/Badsrc-G
  51. Troj/Badsrc-H
  52. Troj/Badsrc-L
  53. Troj/Badsrc-M
  54. Troj/Badsrc-O
  55. Troj/Bitget-A
  56. Troj/DecDec-A
  57. Troj/Dloadr-DLH
  58. Troj/ExpJS-FU
  59. Troj/Fujif-Gen
  60. Troj/Ifradv-A
  61. Troj/Iframe-AQ
  62. Troj/Iframe-BT
  63. Troj/Iframe-BW
  64. Troj/Iframe-CB
  65. Troj/Iframe-CG
  66. Troj/Iframe-DP
  67. Troj/Iframe-DQ
  68. Troj/Iframe-DR
  69. Troj/IFrame-DY
  70. Troj/Iframe-EA
  71. Troj/Iframe-EN
  72. Troj/Iframe-FB
  73. Troj/Iframe-GO
  74. Troj/Iframe-HF
  75. Troj/Iframe-HP
  76. Troj/Iframe-HX
  77. Troj/Iframe-IO
  78. Troj/Iframe-KX
  79. Troj/Iframe-Q
  80. Troj/JsDown-AH
  81. Troj/JSRedir-AK
  82. Troj/JSRedir-AR
  83. Troj/JSRedir-AU
  84. Troj/JSRedir-AZ
  85. Troj/JSRedir-BB
  86. Troj/JSRedir-BD
  87. Troj/JSRedir-BP
  88. Troj/JSRedir-DC
  89. Troj/JSRedir-DL
  90. Troj/JSRedir-DO
  91. Troj/JSRedir-DP
  92. Troj/JSRedir-DT
  93. Troj/JSRedir-EF
  94. Troj/JSRedir-FV
  95. Troj/JSRedir-GS
  96. Troj/JSRedir-GW
  97. Troj/JsRedir-HA
  98. Troj/JSRedir-HB
  99. Troj/JSRedir-HZ
  100. Troj/JSRedir-LH
  101. Troj/JSRedir-LR
  102. Troj/JSRedir-MH
  103. Troj/JSRedir-MN
  104. Troj/JSRedir-MX
  105. Troj/JSRedir-O
  106. Troj/JsRedir-OT
  107. Troj/JSRedir-R
  108. Troj/JSRedir-RX
  109. Troj/JSRedir-S
  110. Troj/ObfJS-O
  111. Troj/PDFEx-ET
  112. Troj/PhoexRef-A
  113. Troj/SEOImg-A
  114. Troj/SWFifra-A
  115. Troj/Thyself-A
  116. Troj/Unif-B
  117. Troj/WndRed-C
  118. VBS/Inor-AA
  119. VBS/Redlof-A
  120. Yandex/MalTds
  121. Yandex/MalWindows
  122. Yandex/MalAndroid
  123. Mobile redirect
  124. Undesirable programs
  125. Behavior analysis

JS/ApndIfra-A

This verdict means that the page contains obfuscated JavaScript code (the names of variables and functions may differ for a particular script). When executed, this code loads malicious JavaScript code from remote resources. This malicious code is usually contained in the "onLoad" attribute of the "body" element.

To remove malicious code from the server, follow our instructions.

Example of malicious code that is issued the verdict JS/ApndIfra-A:

JS/DwnLdr-HOO

This verdict means that the page contains obfuscated JavaScript code (the names of variables and functions may differ for a particular script). After executing, this code opens an advertisement in a popup window and loads malicious code from remote resources.

To remove malicious code from the server, follow our instructions.

Example of malicious code that is issued the verdict JS/DwnLdr-HOO:

JS/IFrameHtm-A

This verdict means that the page contains obfuscated JavaScript code (the names of variables and functions may differ for a particular script). When executed, this code adds an invisible iframe element to the page, which loads malicious code from remote resources.

To remove malicious code from the server, follow our instructions.

Example of malicious code that is issued the verdict JS/IFrameHtm-A:

JS/IfrmInj-A

This verdict means that the page contains JavaScript code. When executed, the code checks the version of the user's operating system and the browser, as well as the presence of certain cookies. If certain conditions are met, the code adds an <iframe> tag to the page. In this tag, the "src" attribute contains the domain name that the malware is propagated from, along with "width" and "height" attributes set from 0 to 3.

To remove malicious code from the server, follow our instructions.

Example of malicious code that is issued the verdict JS/IfrmInj-A:

JS/MalTxt-Gen

This verdict means that the page contains obfuscated JavaScript code. When executed, the code loads a script used to distribute malware.

This verdict is issued when the malicious script uses textarea to protect itself from decoding and analysis, since it contains code against deobfuscation, for example:

To remove malicious code from the server, follow our instructions.

Example of malicious code that is issued the verdict JS/MalTxt-Gen:

The names of variables and functions in each specific case may differ from the ones given in the example.

JS/PDFLd-Gen

This verdict means that malicious code (a set of exploits) was downloaded from a remote resource when the page was opened. This usually happens due to the presence of malicious code in legitimately enabled JavaScript scenarios.

To remove malicious code from the server, follow our instructions.

Example of malicious code that is issued the verdict JS/PDFLd-Gen:

JS/RefC-Gen

This verdict means that the page contains obfuscated JavaScript code (the names of variables and functions may differ for a particular script). When executed, the code redirects the user to a site that distributes malware, if the user landed on the infected site from a search engine.

To remove malicious code from the server, follow our instructions.

Example of malicious code that is issued the verdict JS/RefC-Gen:

JS/ScrLd-B

This verdict means that the page contains obfuscated JavaScript code (the names of variables and functions may vary for each script). When executed, the code downloads a script from a remote server with malicious content.

To remove malicious code from the server, follow our instructions.

Example of malicious code that is issued the verdict JS/ScrLd-B:

JS/ScrLd-C

This verdict means that the page contains obfuscated JavaScript code (the names of variables and functions may vary for each script). When executed, the code downloads a script from a remote server with malicious content.

To remove malicious code from the server, follow our instructions.

Example of malicious code that is issued the verdict JS/ScrLd-C:

JS/ScrLd-D

This verdict means that the page contains an obfuscated JavaScript code. The code downloads a script from a remote server with malicious content.

To remove malicious code from the server, follow our instructions.

Example of malicious code that is issued the verdict JS/ScrLd-D:

The names of variables and functions in each specific case may differ from the ones given in the example.

JS/ScrLd-E

This verdict means that the page contains an obfuscated JavaScript executable that downloads malicious script from a remote server. Malware distributors try to make this malicious code harder to detect by using words in the names of variables and functions that are not associated with malware, such as “colors”.

To remove malicious code from the server, follow our instructions.

Example of malicious code that is issued the verdict JS/ScrLd-E:

The names of variables and functions in each specific case may differ from the ones given in the example.

JS/ScrObf-Gen

This verdict means that the page contains obfuscated JavaScript code (the names of variables and functions may vary for each script). When executed, it adds an <iframe> tag with the src attribute containing the domain name the malware is distributed from.

To remove malicious code from the server, follow our instructions.

Example of malicious code that is issued the verdict JS/ScrObf-Gen:

JS/Sinowal-Gen

This verdict means that the page contains an obfuscated JavaScript executable that downloads a script. When executed, the script adds an <iframe> tag to the page. The "src" attribute of the tag contains the domain name of the server that distributes the malware, as well as the "width" and "height" attributes set from 0 to 2.

To remove malicious code from the server, follow our instructions.

Example of malicious code that is issued the verdict JS/Sinowal-Gen:

JS/Sinowal-V

This verdict means that the page contains an obfuscated JavaScript executable that downloads a script. When executed, the script adds an tag to the page. The src attribute containing the domain name of the server that malware is being distributed from, along with the width and height attributes set from 0 to 2.

To remove malicious code from the server, follow our instructions.

Example of malicious code that is issued the verdict JS/Sinowal-V:

where <skipped> are skipped sections of malicious code that may differ significantly from instance to instance.

JS/XIfr-Gen

This verdict means that the page has JavaScript code that adds an <iframe> tag to the page. In this tag, the "src" attribute contains a domain name that malware is being distributed from, along with "width" and "height" attributes set from 0 to 10. In addition to the attributes shown above, the <iframe> tag can also include extra attributes such as: frameborder=0, style="VISIBILITY:hidden", and style="display:none".

To remove malicious code from the server, follow our instructions.

Example of malicious code that is issued the verdict JS/XIfr-Gen:

Mal/Badsrc-A

This verdict means the page code contains the script> tag with the src attribute specifying a domain name that malware is being distributed from. The script loaded in the src attribute can end in the .php or .js extension.

To remove malicious code from the server, follow our instructions.

Example of malicious code that is issued the verdict Mal/Badsrc-A:

Mal/Badsrc-C

This verdict means the page code contains the script> tag with the src attribute specifying a domain name that malware is being distributed from. The script loaded in the src attribute can end in the .php or .js extension.

To remove malicious code from the server, follow our instructions.

Example of malicious code that is issued the verdict Mal/Badsrc-C:

Mal/Badsrc-D

This verdict means that the page code contains a .jpg file in the src attribute of the <script> tag. A script loaded with the .jpg extension usually contains malicious code.

To remove malicious code from the server, follow our instructions.

Example of malicious code that is issued the verdict Mal/Badsrc-D:

Mal/Badsrc-E

This verdict means the page code contains the <script> tag with the "src" attribute specifying the domain name the malware is distributed from. This verdict is characterized by a domain name given in HTML URL Encode format.

To remove malicious code from the server, follow our instructions.

Example of malicious code that is issued the verdict Mal/Badsrc-E:

Mal/Badsrc-F

This verdict means the page code contains the <script> tag with the src attribute specifying the domain name the malware is distributed from.

To remove malicious code from the server, follow our instructions.

Example of malicious code that is issued the verdict Mal/Badsrc-F:

Mal/Badsrc-K

This verdict means that the page has JavaScript code from the traffbiz.ru partner network. When executing, it periodically loads malicious JavaScript code from a third-party site, which, in turn, distributes malware.

To remove malicious code from the server, follow our instructions.

Example of malicious code that is issued the verdict Mal/Badsrc-K:

For more information about this type of infection, see this page.

Mal/Badsrc-M

This verdict means the page code contains the <script> tag with the "src" attribute specifying the domain name the malware is distributed from. The script loaded in the "src" attribute can end with the .php extension. It takes the parameters specified by the attacker. Often, the script is placed on the page before the </body></html> closing tags.

To remove malicious code from the server, follow our instructions.

Example of malicious code that is issued the verdict Mal/Badsrc-M:

Mal/ExpJS-AD

This verdict means that the page has obfuscated JavaScript code (the names of variables and functions may differ for each particular script). When executed, it detects the operating system and the browser version, installed plugins, and uses this information to add an <iframe> tag with the "src" attribute containing the URL of a specially formed infected file.

To remove malicious code from the server, follow our instructions.

Example

Mal/HappJS-A

This verdict means that a script with the .js extension has code that uses a JavaScript function (such as document.write) to create a <script> tag with the src attribute. The src attribute contains a domain name the malware is distributed from.

To remove malicious code from the server, follow our instructions.

Example of malicious code that is issued the verdict Mal/HappJS-A:

Mal/Iframe-AA

This code downloads a malicious JavaScript scenario from a third-party resource of the format http://91.196.216.20/url.php to the infected page's context. After the malicious scenario is loaded, in many cases (for example, for Internet Explorer) the computers of site visitors are attacked using various exploits. The code is obfuscated and specially designed against antivirus systems.

To remove malicious code from the server, follow our instructions.

Example of malicious code that is issued the verdict Mal/Iframe-AA:

Mal/Iframe-AF

This verdict means that the page contains obfuscated JavaScript code (the names of variables and functions may differ for a particular script). After executing, the code adds an iframe to the page with the "src" attribute containing a domain name that malware is being distributed from. The notable feature of this infection is that the malicious code is appended to all files on the site that have the .js extension.

To remove malicious code from the server, follow our instructions.

Example of malicious code that is issued the verdict Mal/Iframe-AF:

Mal/Iframe-AJ

This verdict means that the page has malicious JavaScript code. When executed, it adds an <iframe> tag with the "src" attribute that contains the domain name the malware is distributed from. The width and height of the added tag are usually less than 5 pixels.

To remove malicious code from the server, follow our instructions.

Example of malicious code that is issued the verdict Mal/Iframe-AJ:

Mal/Iframe-AN

This verdict means the page contains the tag with the src attribute specifying the domain name of the host the malware is distributed from.

To remove malicious code from the server, follow our instructions.

Example of malicious code that is issued the verdict Mal/Iframe-AN:

Mal/Iframe-F

This verdict means that the page contains an <iframe> tag with the src attribute specifying the domain name the malware is distributed from, along with thewidth and height attributes set from 0 to 2, or a JavaScript code that adds this a tag to the page. In addition to the attributes shown above, the <iframe> tag can also include extra attributes such as: frameborder=0, style="VISIBILITY:hidden", style="display:none".

To remove malicious code from the server, follow our instructions.

Example of malicious code that is issued the verdict Mal/Iframe-F:

Mal/Iframe-Gen

This verdict means that the page contains obfuscated JavaScript code (the names of variables and functions may differ for a particular script). When this code is executed, the iframe element is added to the page. The src attribute contains the domain name the malware is distributed from. Other attributes conceal the created page element. Examples:
  • frameborder=0

  • style="VISIBILITY:hidden"

  • style="display:none"

To remove malicious code from the server, follow our instructions.

Example of malicious code that is issued the verdict Mal/Iframe-Gen:

The code after the first deobfuscation stage:

The code after the second deobfuscation stage:

Mal/Iframe-I

This verdict means that the page contains an <iframe> tag with the src attribute specifying the domain name the malware is distributed from (set in hexadecimal or decimal HTML notation with a semicolon), along with the width and height attributes set from 0 to 2. In addition to the above attributes, the <iframe> tag can include extra attributes such as frameborder=0, style="VISIBILITY:hidden", style="display:none".

To remove malicious code from the server, follow our instructions.

Example of malicious code that is issued the verdict Mal/Iframe-I:

Mal/Iframe-M

This verdict means that the page contains an <iframe> tag:
  • with the src attribute specifying the domain name of the server distributing malware.

  • With the width and height attributes set to values other than 0.

  • With the style="visibility: hidden" and border="0" attributes.

To remove malicious code from the server, follow our instructions.

Example of malicious code that is issued the verdict Mal/Iframe-M:

Mal/Iframe-N

This verdict means that the page has an <iframe> tag with the "src" attribute that contains the domain name of the server the malware is distributed from, as well as the "width" and "height" attributes set to values from 0 to 2. Also, the <iframe> tag can contain the event attributes with malicious code as their values.

To remove malicious code from the server, follow our instructions.

Example of malicious code that is issued the verdict Mal/Iframe-N:

Mal/Iframe-O

This verdict means the page contains an <iframe> tag with the width and height attributes more than zero, and the src attribute with a domain name the malware is distributed from.

To remove malicious code from the server, follow our instructions.

Example of malicious code that is issued the verdict Mal/Iframe-O:

Mal/Iframe-Q

This verdict means that the page has an <iframe> tag with the src attribute that contains the domain name of the server the malware is distributed from, as well as the width and height attributes set to values from 0 to 2.

In addition to the attributes shown above, the <iframe> tag can also include extra attributes such as: frameborder=0, style="VISIBILITY:hidden", style="display:none".

To remove malicious code from the server, follow our instructions.

Example of malicious code that is issued the verdict Mal/Iframe-Q:

Mal/Iframe-V

This verdict means that the page contains an <iframe> tag with the src attribute specifying the domain name the malware is distributed from, along with thewidth and height attributes set from 0 to 2. In addition to the attributes shown above, the <iframe> tag can also include extra attributes such as: frameborder=0, style="VISIBILITY:hidden", style="display:none".

To remove malicious code from the server, follow our instructions.

Example of malicious code that is issued the verdict Mal/Iframe-V:

Mal/Iframe-W

This verdict means that the page contains an <iframe> tag with the src attribute specifying the domain name the malware is distributed from, along with thewidth and height attributes set from 0 to 2, or a JavaScript code that adds this a tag to the page. In addition to the attributes shown above, the <iframe> tag can also include extra attributes such as: frameborder=0, style="VISIBILITY:hidden", style="display:none".

To remove malicious code from the server, follow our instructions.

Example of malicious code that is issued the verdict Mal/Iframe-W:

Mal/Iframe-Y

This verdict means the page contains an <iframe> tag with the "width" and "height" attributes more than zero, and the "src" attribute with a domain name the malware is distributed from. In addition to the attributes shown above, the <iframe> tag can also include extra attributes such as: frameborder=0, style="VISIBILITY:hidden", style="display:none". The iframe can also be added to the page dynamically by executing JavaScript code.

To remove malicious code from the server, follow our instructions.

Example of malicious code that is issued the verdict Mal/Iframe-Y:

Mal/JSIfrLd-A

This verdict means that the page contains an obfuscated JavaScript code (the names of variables and functions may vary for each script). When executed, the code adds an<iframe> tag to the page. The src attribute of the tag contains the domain name the malware is distributed from. It also has other attributes that hide the element created on the page.

To remove malicious code from the server, follow our instructions.

Example of malicious code that is issued the verdict Mal/JSIfrLd-A:

Mal/JSRedir-D

This verdict means that the page contains obfuscated JavaScript code (the names of variables and functions may vary for each script), which when executed redirects the user to a site that malware is being distributed from.

To remove malicious code from the server, follow our instructions.

Example of malicious code that is issued the verdict Mal/JSRedir-D:

Mal/ObfJS-A

This verdict means that the page contains obfuscated JavaScript code (the names of variables and functions may vary for each script), which when executed leads to malicious actions. After executing, the code usually creates an <iframe> tag with the src attribute that contains the domain name the malware is distributed from.

To remove malicious code from the server, follow our instructions.

Example of malicious code that is issued the verdict Mal/ObfJS-A:

Mal/ObfJS-AB

This verdict means that the page contains obfuscated JavaScript code (the names of variables and functions may vary for each script), which when executed leads to malicious actions. After executing, the code usually creates an <iframe> tag with the src attribute that contains the domain name the malware is distributed from.

To remove malicious code from the server, follow our instructions.

Example of malicious code that is issued the verdict Mal/ObfJS-AB:

Mal/ObfJS-X

This verdict means that the page contains obfuscated JavaScript code (the names of variables and functions may vary for each script), which when executed leads to malicious actions. After executing, the code usually creates an <iframe> tag with the src attribute that contains the domain name the malware is distributed from.

To remove malicious code from the server, follow our instructions.

Example of malicious code that is issued the verdict Mal/ObfJS-X:

Mal/Psyme-E

This verdict means that the page contains an obfuscated JavaScript executable that adds an <iframe> tag to the page. The src attribute of the tag contains the domain name of the server the malware is distributed from, as well as the width and height attributes set to values from 0 to 2.

To remove malicious code from the server, follow our instructions.

Example of malicious code that is issued the verdict Mal/Psyme-E:

The names of variables and functions in each specific case may differ from the ones given in the example.

Mal/ScrLd-A

This verdict means that the page contains obfuscated JavaScript code (the names of variables and functions may differ for a particular script). After executing, the code waits for mouse movement and, after this event is fired, loads a script with malware on the page. The notable feature of this infection is that the malicious code is appended to all files on the site that have the .js extension.

To remove malicious code from the server, follow our instructions.

Example of malicious code that is issued the verdict Mal/ScrLd-A:

Mal/Varcat-A

This verdict means that the page contains an obfuscated JavaScript executable that adds the <iframe> tag to the page. The tag contains the src attribute specifying a domain name the malware is distributed from, along with the width and height attributes set to values from 0 to 2.

In addition to the attributes shown above, the <iframe> tag can also include extra attributes such as: frameborder="0" и style="visibility: hidden;".

To remove malicious code from the server, follow our instructions.

Example of malicious code that is issued the verdict Mal/Varcat-A:

The names of variables and functions in each specific case may differ from the ones given in the example.

Troj/AllAple-A

Troj/Allaple-A is a backdoor for the Windows platform. The trojan copies itself to multiple directories with a randomly generated filename that is 8 bytes long. The trojan extracts malicious DLL files from its body and places them in the Windows system directory. На зараженной системе в содержимом всех HTML файлов появляется строка: <OBJECT type="application/x-oleobject"CLASSID="CLSID(случайно сгенерированный CLSID)"></OBJECT>

To remove malicious code from the server, follow our instructions.

Example of malicious code that is issued the verdict Troj/AllAple-A:

Troj/Badsrc-B

This verdict means the page contains the <script> tag with the "src" attribute specifying the domain name of the server that distributes the malware. The malicious script is downloaded to the page from a URI ending in .js.

To remove malicious code from the server, follow our instructions.

Example of malicious code that is issued the verdict Troj/Badsrc-B:

Troj/Badsrc-D

This verdict means that the page contains obfuscated JavaScript code (the names of variables and functions may vary for each script). When executed, it adds a <script> tag with the src attribute containing the domain name the malware is distributed from.

To remove malicious code from the server, follow our instructions.

Example of malicious code that is issued the verdict Troj/Badsrc-D:

Troj/Badsrc-G

This verdict means the page contains the <script> tag with the "src" attribute specifying the domain name of the server that distributes the malware. The malicious script is downloaded to the page from a URI ending in .js.

To remove malicious code from the server, follow our instructions.

Example of malicious code that is issued the verdict Troj/Badsrc-G:

Troj/Badsrc-H

This verdict means that the page contains obfuscated JavaScript code (the names of variables and functions may vary for each script). When executed, it adds a <script> tag with the src attribute containing the domain name the malware is distributed from.

To remove malicious code from the server, follow our instructions.

Example of malicious code that is issued the verdict Troj/Badsrc-H:

Troj/Badsrc-L

This verdict means the page contains the <script> tag with the src attribute specifying the domain name of the server that distributes the malware. The malicious script is downloaded to the page from a URI ending in .php.

To remove malicious code from the server, follow our instructions.

Example of malicious code that is issued the verdict Troj/Badsrc-L:

Troj/Badsrc-M

This verdict means the page code contains the <script> tag with the src attribute specifying the domain name the malware is distributed from. The script to load in the "src" attribute may end in the .js extension. In most cases, this script is placed after the </html> tag.

To remove malicious code from the server, follow our instructions.

Example of malicious code that is issued the verdict Troj/Badsrc-M:

Troj/Badsrc-O

This verdict means the page contains the <script> tag with the "src" attribute specifying the domain name of the server that distributes the malware. The malicious script is downloaded to the page from a URI ending in .php.

To remove malicious code from the server, follow our instructions.

Example of malicious code that is issued the verdict Troj/Badsrc-O:

Troj/Bitget-A

This verdict means that the page contains an obfuscated JavaScript executable that adds an <iframe> tag to the page. The "src" attribute of the tag contains the domain name of the server that distributes the malware, as well as the "width" and "height" attributes set to values from 0 to 2.

To remove malicious code from the server, follow our instructions.

Example of malicious code that is issued the verdict Troj/Bitget-A:

Troj/DecDec-A

This verdict means that the page contains obfuscated JavaScript code (the names of variables and functions are the same for each script), which when executed leads to malicious actions. After executing, the code usually creates an <iframe> tag with the src attribute that contains the domain name the malware is distributed from.

To remove malicious code from the server, follow our instructions.

Example of malicious code that is issued the verdict Troj/DecDec-A:

Troj/Dloadr-DLH

This verdict means that the page has JavaScript code that adds an <iframe> tag to the page. In this tag, the "src" attribute contains a domain name that malware is being distributed from, along with "width" and "height" attributes set from 0 to 10. In addition to the attributes shown above, the <iframe> tag can also include extra attributes such as: frameborder=0, style="VISIBILITY:hidden", and style="display:none".

To remove malicious code from the server, follow our instructions.

Example of malicious code that is issued the verdict Troj/Dloadr-DLH:

Troj/ExpJS-FU

This verdict means that the page contains an obfuscated JavaScript executable, which downloads resources with malicious content. Usually, the resources are loaded by adding the<applet> and tags.

To remove malicious code from the server, follow our instructions.

Example of malicious code that is issued the verdict Troj/ExpJS-FU:

Troj/Fujif-Gen

This verdict means that the page contains an <iframe> tag:
  • With the src attribute specifying the domain name of a server that distributes malware.

  • With the width and height attributes that have values from 0 to 2.

  • With additional attributes, such as frameborder="0" and style="height:1px".

To remove malicious code from the server, follow our instructions.

Example of malicious code that is issued the verdict Troj/Fujif-Gen:

Troj/Ifradv-A

This verdict means that the page has an <iframe> tag. The src attribute of the tag contains the domain name of the server that distributes the malware, as well as the width and height attributes that have values from 0 to 2.

The URL of the malicious code in the src attribute contains the adv substring.

To remove malicious code from the server, follow our instructions.

Example of malicious code that is issued the verdict Troj/Ifradv-A:

Troj/Iframe-AQ

This verdict means that the page contains obfuscated JavaScript code (the names of variables and functions may differ for a particular script). After executing, the code adds an iframe tag to the page. In this tag, the "src" attribute contains the domain name that the malware is propagated from, along with "width" and "height" attributes set from 0 to 3.

To remove malicious code from the server, follow our instructions.

Example of malicious code that is issued the verdict Troj/Iframe-AQ:

Troj/Iframe-BT

This verdict means that the page contains an invisible iframe element, which loads malicious code from remote resources. This iframe element is usually placed at the end of the page.

To remove malicious code from the server, follow our instructions.

Example of malicious code that is issued the verdict Troj/Iframe-BT:

Troj/Iframe-BW

This verdict means that the page contains an <iframe> tag with the src attribute specifying the domain name the malware is distributed from, along with thewidth and height attributes set from 0 to 2. In addition to the above attributes, the <iframe> tag can include extra attributes such as frameborder=0, style="VISIBILITY:hidden", style="visibility:hidden;position:absolute".

To remove malicious code from the server, follow our instructions.

Examples of malicious code that is issued the verdict Troj/Iframe-BW:

Troj/Iframe-CB

This verdict means that the page contains an <iframe> tag with the src attribute that contains the domain name of the server that distributes the malware, as well as the width and height set to values other than zero.

In addition, the <iframe> has the style="border: 0px none; position: relative; top: 0px; left: -500px; opacity: 0;" attribute.

To remove malicious code from the server, follow our instructions.

Example of malicious code that is issued the verdict Troj/Iframe-CB:

Troj/Iframe-CG

This verdict means that the page contains an obfuscated JavaScript executable that adds an <iframe> tag to the page. The "src" attribute of the tag specifies the domain name the malware is distributed from.

To remove malicious code from the server, follow our instructions.

Example of malicious code that is issued the verdict Troj/Iframe-CG:

Troj/Iframe-DP

This verdict means that the page contains an obfuscated JavaScript executable that adds an <iframe> tag to the page. The src attribute of the tag contains the domain name of the server that distributes the malware, as well as the width and height attributes set to values from 0 to 2.

To remove malicious code from the server, follow our instructions.

Example of malicious code that is issued the verdict Troj/Iframe-DP:

The names of variables and functions in each specific case may differ from the ones given in the example.

Troj/Iframe-DQ

This verdict means that the page has obfuscated JavaScript code. When executed, it adds an <iframe> tag with the "src" attribute that contains the domain name the malware is distributed from.

To remove malicious code from the server, follow our instructions.

Example of malicious code that is issued the verdict Troj/Iframe-DQ:

Troj/Iframe-DR

This verdict means that the page has JavaScript code that adds an <iframe> tag to the page. In this tag, the "src" attribute contains a domain name that malware is being distributed from, along with "width" and "height" attributes set from 0 to 10. In addition to the attributes shown above, the <iframe> tag can also include extra attributes such as: frameborder=0, style="VISIBILITY:hidden", and style="display:none".

To remove malicious code from the server, follow our instructions.

Example of malicious code that is issued the verdict Troj/Iframe-DR:

Troj/IFrame-DY

This verdict means that the page contains obfuscated JavaScript code (the names of variables and functions may differ for a particular script). When executed, this code adds an invisible iframe element to the page, which loads malicious code from remote resources.

To remove malicious code from the server, follow our instructions.

Example of malicious code that is issued the verdict Troj/Iframe-DY:

Troj/Iframe-EA

This verdict means that the page contains an obfuscated JavaScript executable that adds an <iframe> tag to the page. The "src" attribute of the tag contains the domain name of the server that distributes the malware, as well as the "width" and "height" attributes set to values from 0 to 2.

To remove malicious code from the server, follow our instructions.

Example of malicious code that is issued the verdict Troj/Iframe-EA:

Troj/Iframe-EN

This verdict is issued when the page contains a JavaScript executable that adds an <iframe> tag to the page. The src attribute of the tag contains the domain name of the server distributing the malware. The width and height attributes have values from 0 to 2.

To remove malicious code from the server, follow our instructions.

Example of malicious code that is issued the verdict Troj/Iframe-EN:

Troj/Iframe-FB

This verdict means that the page has JavaScript code that adds an <iframe> tag to the page. The src attribute of this tag contains the domain name the malware is distributed from. The width and height attributes are set to values from 0 to 2. In addition to the attributes shown above, the <iframe> tag can also include extra attributes such as: frameborder=0, style="VISIBILITY:hidden", style="display:none".

To remove malicious code from the server, follow our instructions.

Example of malicious code that is issued the verdict Troj/Iframe-FB:

Troj/Iframe-GO

This verdict means that the page contains an <iframe> tag with the src attribute specifying the domain name the malware is distributed from, along with thewidth and height attributes set from 0 to 2.

To remove malicious code from the server, follow our instructions.

Example of malicious code that is issued the verdict Troj/Iframe-GO:

Troj/Iframe-HF

This verdict means that the page has JavaScript code that adds an <iframe> tag to the page. In this tag, the "src" attribute contains the domain name the malware is distributed from, along with the "width" and "height" attributes set to values from 0 to 2. In addition to the attributes shown above, the <iframe> tag can also include extra attributes such as: frameborder=0, style="VISIBILITY:hidden", and style="display:none". For this infection, the malicious code is usually located in several places in the middle of the HTML document.

To remove malicious code from the server, follow our instructions.

Example of malicious code that is issued the verdict Troj/Iframe-HF:

Troj/Iframe-HP

This verdict means that the page contains a small iframe element, which loads malicious code from remote resources. This iframe element is usually placed before the closing "body" tag.

To remove malicious code from the server, follow our instructions.

Example of malicious code that is issued the verdict Troj/Iframe-HP:

Troj/Iframe-HX

This verdict means that the page contains an <iframe> tag with the "src" attribute specifying the domain name of the server that distributes the malware. Also, the <iframe> tag has the following attribute: style="visibility: hidden; display: none; display: none;".

To remove malicious code from the server, follow our instructions.

Example of malicious code that is issued the verdict Troj/Iframe-HX:

Troj/Iframe-IO

This verdict means that the page has malicious JavaScript code. When executed, it adds an <iframe> tag with the "src" attribute that contains the domain name the malware is distributed from. In addition, styles are usually used to place the added tag outside of the visible page area.

To remove malicious code from the server, follow our instructions.

Example of malicious code that is issued the verdict Troj/Iframe-IO:

Troj/Iframe-KX

This verdict means that the page has malicious JavaScript code. When executed, it adds an <iframe> tag with the src attribute that contains the domain name the malware is distributed from. In addition, styles are usually used to place the added tag outside of the visible page area.

To remove malicious code from the server, follow our instructions.

Example of malicious code that is issued the verdict Troj/Iframe-KX:

Troj/Iframe-Q

This verdict means that the page contains an <iframe> tag with the src attribute specifying the domain name the malware is distributed from, along with thewidth and height attributes set from 0 to 2. In addition to the attributes shown above, the <iframe> tag can also include extra attributes such as: frameborder=0, style="VISIBILITY:hidden", style="display:none".

To remove malicious code from the server, follow our instructions.

Example of malicious code that is issued the verdict Troj/Iframe-Q:

Troj/JsDown-AH

This verdict means that the page contains an obfuscated JavaScript code (the names of variables and functions may vary for each script). When executed, it adds an <iframe> tag to the page. The "src" attribute of the tag contains the domain name the malware is distributed from. This code is usually appended to the end of all files with scripts, which are downloaded to the page.

To remove malicious code from the server, follow our instructions.

Example of malicious code that is issued the verdict Troj/JsDown-AH:

Troj/JSRedir-AK

This verdict means that the page contains obfuscated JavaScript code (the names of variables and functions may vary for each script), which when executed redirects the user to a site that malware is being distributed from.

To remove malicious code from the server, follow our instructions.

Example of malicious code that is issued the verdict Troj/JSRedir-AK:

Troj/JSRedir-AR

This verdict means that the page contains obfuscated JavaScript code (the names of variables and functions may vary for each script), which when executed redirects the user to a site that malware is being distributed from.

To remove malicious code from the server, follow our instructions.

Example of malicious code that is issued the verdict Troj/JSRedir-AR:

Troj/JSRedir-AU

This verdict means that the page contains obfuscated JavaScript code (the names of variables and functions may vary for each script), which when executed redirects the user to a site that malware is being distributed from.

To remove malicious code from the server, follow our instructions.

Example of malicious code that is issued the verdict Troj/JSRedir-AU:

Troj/JSRedir-AZ

This verdict means that the page contains obfuscated JavaScript code (the names of variables and functions may vary for each script), which when executed redirects the user to a site that is distributing malware. In this type of site infection, the specified code is usually located in a separate file with the .js extension.

To remove malicious code from the server, follow our instructions.

Example of malicious code that is issued the verdict Troj/JSRedir-AZ:

Troj/JSRedir-BB

This verdict means that the page contains obfuscated JavaScript code (the names of variables and functions may vary for each script), which when executed redirects the user to a site that malware is being distributed from.

To remove malicious code from the server, follow our instructions.

Example of malicious code that is issued the verdict Troj/JSRedir-BB:

Troj/JSRedir-BD

This verdict means that the page contains obfuscated JavaScript code (the names of variables and functions may vary for each script), which when executed redirects the user to a site that malware is being distributed from.

To remove malicious code from the server, follow our instructions.

Example of malicious code that is issued the verdict Troj/JSRedir-BD:

Troj/JSRedir-BP

This verdict means that the page contains an obfuscated JavaScript executable, which downloads resources with malicious content, or the user will be redirected to a malicious site.

To remove malicious code from the server, follow our instructions.

Example of malicious code that is issued the verdict Troj/JSRedir-BP:

Troj/JSRedir-DC

This verdict means that the page contains obfuscated JavaScript code (the names of variables and functions may differ for a particular script). After executing, this code loads malicious JavaScript code from remote resources.

To remove malicious code from the server, follow our instructions.

Example of malicious code that is issued the verdict Troj/JSRedir-DC:

Troj/JSRedir-DL

This verdict means that the page contains obfuscated JavaScript code (the names of variables and functions may vary for each script), which when executed redirects the user to a site that malware is being distributed from.

To remove malicious code from the server, follow our instructions.

Example of malicious code that is issued the verdict Troj/JSRedir-DL:

Troj/JSRedir-DO

This verdict means that the page contains obfuscated JavaScript code, which when executed redirects the user to a site that is distributing malware.

To remove malicious code from the server, follow our instructions.

Example of malicious code that is issued the verdict Troj/JSRedir-DO:

The names of variables and functions in each specific case may differ from the ones given in the example.

Troj/JSRedir-DP

This verdict means that the page contains obfuscated JavaScript code (the names of variables and functions may vary for each script), which when executed redirects the user to a site that malware is being distributed from.

To remove malicious code from the server, follow our instructions.

Example of malicious code that is issued the verdict Troj/JSRedir-DP:

Troj/JSRedir-DT

This verdict means that the page contains obfuscated JavaScript code (the names of variables and functions may vary for each script), which when executed redirects the user to a site that malware is being distributed from.

To remove malicious code from the server, follow our instructions.

Example of malicious code that is issued the verdict Troj/JSRedir-DT:

Troj/JSRedir-EF

This verdict means that the page contains obfuscated JavaScript code (the names of variables and functions may vary for each script), which when executed redirects the user to a site that malware is being distributed from.

To remove malicious code from the server, follow our instructions.

Example of malicious code that is issued the verdict Troj/JSRedir-EF:

Troj/JSRedir-FV

This verdict means that the page contains obfuscated JavaScript code (the names of variables and functions may differ for a particular script). After executing, the code waits for mouse movement and, after this event is fired, loads a script with malware on the page. The notable feature of this infection is that the malicious code is appended to all files on the site that have the .js extension.

To remove malicious code from the server, follow our instructions.

Example of malicious code that is issued the verdict Troj/JSRedir-FV:

Troj/JSRedir-GS

This verdict means that the page contains obfuscated JavaScript code (the names of variables and functions may vary for each script), which when executed redirects the user to a site that malware is being distributed from.

To remove malicious code from the server, follow our instructions.

For more information about the causes of infection, read our article.

Example of malicious code that is issued the verdict Troj/JSRedir-GS:

Troj/JSRedir-GW

This verdict means that the page has JavaScript objects that link to malicious code from remote resources. These elements usually get in through the site's back door (inside articles, comments, and so on), due to insufficient filtering of data entered by users.

To remove malicious code from the server, follow our instructions.

Example of malicious code that is issued the verdict Troj/JSRedir-GW:

Troj/JsRedir-HA

This verdict means that the page contains an obfuscated JavaScript executable, which downloads resources with malicious content, or the user will be redirected to a malicious site.

To remove malicious code from the server, follow our instructions.

Example of malicious code that is issued the verdict Troj/JSRedir-HA:

Troj/JSRedir-HB

This verdict means that the page contains obfuscated JavaScript code (the names of variables and functions may vary for each script), which when executed redirects the user to a site that malware is being distributed from.

To remove malicious code from the server, follow our instructions.

Example of malicious code that is issued the verdict Troj/JSRedir-HB:

Troj/JSRedir-HZ

This verdict means that the page contains an obfuscated JavaScript executable, which downloads resources with malicious content, or the user will be redirected to a malicious site.

To remove malicious code from the server, follow our instructions.

Example of malicious code that is issued the verdict Troj/JSRedir-HZ:

Troj/JSRedir-LH

This verdict means that the page markup contains JavaScript code (the names of variables and functions may vary for each script), which when executed redirects the user to a site that is distributing malware. In this type of site infection, the specified code is usually prepended to the beginning of all JS files on the site.

Example of malicious code that is issued the verdict Troj/JSRedir-LH:

In this type of infection, sites often contain malicious PHP code like , which also must be removed in order to avoid re-infection.

To remove malicious code from the server, follow our instructions.

Troj/JSRedir-LR

This verdict means that the page contains obfuscated JavaScript code (the names of variables and functions may differ for a particular script). The notable feature of this infection is that the malicious code is appended to one of the files on the site that has the .js extension. To remove the malicious code from the server, follow our instructions. Example of malicious code that is issued this verdict:

To remove malicious code from the server, follow our instructions.

Example of malicious code that is issued the verdict Troj/JSRedir-LR:

Troj/JSRedir-MH

This verdict means that the site contains malicious JavaScript code that loads a malicious SWF objects, which downloads exploits to the site's visitors. This malicious code is usually placed in a separate JS file on a hacked server.

To remove malicious code from the server, follow our instructions.

Example of malicious code that is issued the verdict Troj/JSRedir-MH:

Troj/JSRedir-MN

This verdict means that the site contains malicious JavaScript code that loads a malicious SWF objects, which downloads exploits to the site's visitors. This malicious code is usually placed in a separate JS file on a hacked server.

To remove malicious code from the server, follow our instructions.

Example of malicious code that is issued the verdict Troj/JSRedir-MN:

Troj/JSRedir-MX

This verdict means that the page contains malicious JavaScript code (the names of variables and functions may differ for a particular script). This code adds the <iframe> element to the page. The src attribute contains the domain name the malware is distributed from. Mobile browsers when executing this code are redirected to malicious sites.

To remove malicious code from the server, follow our instructions.

Example of malicious code that is issued the verdict Troj/JSRedir-MX:

Troj/JSRedir-O

This verdict means that the page contains obfuscated JavaScript code (the names of variables and functions may vary for each script), which when executed redirects the user to a site that malware is being distributed from.

To remove malicious code from the server, follow our instructions.

Example of malicious code that is issued the verdict Troj/JSRedir-O:

Troj/JsRedir-OT

This verdict means the page contains the script tag with the src attribute specifying the domain name of the server distributing the malware. The loaded script adds the iframe tag, usually placed outside of the visible page area.

To remove malicious code from the server, follow our instructions.

Example of malicious code that is issued the verdict Troj/JSRedir-OT:

Troj/JSRedir-R

This verdict means that the page contains an obfuscated JavaScript code (the names of variables and functions can vary for each script). When executed, it redirects the user to the site distributing the malware in the .cn domain zone.

To remove malicious code from the server, follow our instructions.

Example of malicious code that is issued the verdict Troj/JSRedir-R:

Troj/JSRedir-RX

This verdict means that the page contains a JavaScript code (the names of variables and functions can vary for each script). When executed, it redirects the user to the site distributing the malware. The src attribute in the malicious code usually contains a URI (universal resource identifier) ending in jquery.min.php.

To remove malicious code from the server, follow our instructions.

Example of malicious code that is issued the verdict Troj/JSRedir-AK:

Troj/JSRedir-S

This verdict means that the page contains obfuscated JavaScript code (the names of variables and functions may vary for each script), which when executed redirects the user to a site that malware is being distributed from. This verdict is usually issued to sites (or a chain of sites) that distribute fake antivirus programs.

To remove malicious code from the server, follow our instructions.

Example of malicious code that is issued the verdict Troj/JSRedir-S:

Troj/ObfJS-O

This verdict means that the page contains an obfuscated JavaScript executable, which downloads resources with malicious content, or the user will be redirected to a malicious site.

To remove malicious code from the server, follow our instructions.

Example of malicious code that is issued the verdict Troj/ObfJS-O:

Troj/PDFEx-ET

This verdict means that either the page or a loaded script has a JavaScript code (the names of variables and functions, string constants and array contents can vary for each script). When executed, this code adds an <iframe> with the "src" attribute containing the domain name the malware is distributed from.

To remove malicious code from the server, follow our instructions.

Example of malicious code that is issued the verdict Troj/PDFEx-ET:

Troj/PhoexRef-A

This verdict means that the page contains obfuscated JavaScript code (the names of variables and functions may differ for a particular script). After executing, the code waits for mouse movement and, after this event is fired, loads a script with malware on the page. The notable feature of this infection is that the malicious code is appended to all files on the site that have the .js extension.

To remove malicious code from the server, follow our instructions.

Example of malicious code that is issued the verdict Troj/PhoexRef-A:

Troj/SEOImg-A

This verdict means that the page contains JavaScript code that redirects the user's browser to a page with a script that is distributing malware.

To remove malicious code from the server, follow our instructions.

Example of malicious code that is issued the verdict Troj/SEOImg-A:

Troj/SWFifra-A

This verdict means that the page loads an SWF file with an tag. The "src" attribute of the tag contains the domain name the malware is distributed from.

To remove malicious code from the server, follow our instructions.

Example of malicious code that is issued the verdict Troj/SWFifra-A:

Troj/Thyself-A

This verdict means that the page has JavaScript code that adds an <iframe> tag to the page. In this tag, the "src" attribute contains a domain name that malware is being distributed from, along with "width" and "height" attributes set from 0 to 10. In addition to the attributes shown above, the <iframe> tag can also include extra attributes such as: frameborder=0, style="VISIBILITY:hidden", and style="display:none".

To remove malicious code from the server, follow our instructions.

Example of malicious code that is issued the verdict Troj/Thyself-A:

Troj/Unif-B

This verdict means that the page contains obfuscated JavaScript code (the names of variables and functions may vary for each script), which when executed redirects the user to a site that malware is being distributed from.

To remove malicious code from the server, follow our instructions.

Example of malicious code that is issued the verdict Troj/Unif-B:

Troj/WndRed-C

This verdict means that the page contains obfuscated JavaScript code (the names of variables and functions may vary for each script), which when executed redirects the user to a site that malware is being distributed from.

To remove malicious code from the server, follow our instructions.

Example of malicious code that is issued the verdict Troj/WndRed-C:

VBS/Inor-AA

This verdict means that the page has VBScript that, if successfully executed, creates and runs an executable file on the client computer.

To remove malicious code from the server, follow our instructions.

Example of malicious code that is issued the verdict VBS/Inor-AA:

Note: "<bin>" stands for the contents of the executable file in the hexadecimal notation.

VBS/Redlof-A

This verdict means that the page has obfuscated VBScript code that, if successfully executed, creates and runs an executable file on the client computer.

To remove malicious code from the server, follow our instructions.

Example of malicious code that is issued the verdict VBS/Redlof-A:

Yandex/MalTds

This verdict means that the page has an <iframe> tag with the "src" attribute containing the domain name of the malware source. Also, the <iframe> tag contains the "width" and "height" attributes that have values ​​from 0 to 2, or a JavaScript code. Данный код при исполнении добавляет тег <ifreme> на страницу.

Also, the <iframe> tag can include additional attributes: frameborder=0, style="VISIBILITY:hidden",style="display:none".

To remove the malicious code from the server, follow our instructions.

Example of malicious code that is issued the verdict Yandex/MalTds:

Yandex/MalWindows

This verdict means that the page contains links for downloading malware for Microsoft Windows.

Yandex/MalAndroid

This verdict means that the page contains links for downloading malware for the Android OS.

Mobile redirect

While checking the site pages, Yandex antivirus suite detected a mobile redirect. A mobile redirect is when a user is redirected to a third-party site when trying to view a page on the source site using a mobile device (for example, a phone).

These types of redirects usually send users to sites that host malware or phishing (for example, in the guise of a browser update). Downloading and installing such programs may cause the mobile device to be infected.

Mobile redirects can be configured in the .htaccess file, including the one provided with the CMS, as described in this article. They can also appear because of the server-side backdoor script, similar to the one described here.

To remove malicious code from the server, follow our instructions.

Undesirable programs

The last check showed that the site has files or links to files that have had extra software added. This could happen either at the desire of the site's owners, or without their knowledge, as the result of hacking.

The extra software may include suspicious programs that are capable of harming the computer, disrupting other software, or changing settings.

Currently, the site is shown in the search results with the warning “Be careful when downloading files from this site”. Links to files (or the files themselves) containing undesirable software should be removed from the site. If they are not detected during the next scan, the warning will be removed from the search results.

Behavior analysis

The Yandex antivirus robot analyzes the behavior of JavaScript code and other active elements when scanning pages.

If the malicious Java applet detector or malicious PDF document detector finds an attempt to exploit a vulnerability to execute malicious code, the page is considered dangerous for the users.

To remove malicious code from the server, follow our instructions.

Tell us what your question is about so we can direct you to the right specialist:

In this case, read the recommendations in the Unwanted programs and dangerous files section. You can also contact support from that page.
If you see a message about another issue related to the site security, choose the violation type.