Daniel Ansari’s blog Random software musings

May 19, 2009

Automatic removal of Gumblar/Martuz trojan

Filed under: Malware — Tags: , , — admin @ 11:08 pm

I won’t duplicate information contained on other websites, but I will refer to them here instead.

How your machine gets infected by Gumblar, or a “Gumblaroid” (Gumblar-type exploit) such as Martuz

http://blog.unmaskparasites.com/2009/05/07/gumblar-cn-exploit-12-facts-about-this-injected-script/
http://blog.unmaskparasites.com/2009/05/18/martuz-cn-is-a-new-incarnation-of-gumblar-exploit/
http://www.pcauthority.com.au/forums/yaf_postsm289075_A-nasty-virus-called-Gumblar.aspx

How to determine if your PC has the infection

http://www.dynamicdrive.com/forums/showthread.php?p=194695

These were the symptoms that I noticed on my PC:

1. My Visual Studio .NET 2005 was crashing a lot, and I could not get any work done using it.
2. In Firefox 3, each search result would initially redirect to a bogus ad page (I always open search results in a new tab), but clicking the search result once more would open the genuine page.
3. I could not start cmd from the XP Start/Run menu item.

How I removed this malware from my PC

1. I installed and scanned my PC with Malwarebytes’ Anti-Malware, which found the single file – in my case it was C:\WINDOWS\ukvvq.qnx – that was keeping the infection active. Manually deleting it, or letting Anti-Malware attempt to delete it, would delete it, but the file would reappear almost immediately. Don’t worry if Anti-Malware is unable to update its definitions online – this is another symptom of Gumblar – it still detects it, though as something else.
2. I ran Hijackthis (I didn’t need a scan), chose “misc tools”, and chose “delete file on reboot” for this file (according to http://www.dynamicdrive.com/forums/showthread.php?p=194695).
3. I ran regedit and deleted the registry entry (according to http://www.dynamicdrive.com/forums/showthread.php?p=194695).

That was it to remove it from my PC, voila! To protect my PC from re-infection, I disabled Adobe JavaScript according to http://www.pcauthority.com.au/forums/yaf_postsm289075_A-nasty-virus-called-Gumblar.aspx.

Unfortunately, it seems that several people resorted to rebuilding their machines from scratch.

How to remove the infection from a website

If you manage websites using an FTP program, there is a chance that your sites have become infected. The first thing you must do is change the ftp passwords after your machine has been cleaned.

As yet, I am unaware of any automated script which removes the infection from a website, so I wrote my own and applied it to 5 of the websites that I manage that were infected.

I started off using the script by rad-one at http://blog.unmaskparasites.com/2009/05/07/gumblar-cn-exploit-12-facts-about-this-injected-script/comment-page-1/#comment-896.

I modified it heavily to use PHP regular expressions, to remove the gumblar modifications in html, php, and js files (it scans files with all extensions except .bak). Unlike rad-one’s detection script, this one yielded zero false positives for me, and eradicated the infection completely, as far as I can tell.

Here is what my script does:

1. Recurses through the whole website, excluding files and/or directories of your choosing.
2. Applies regular expressions to remove the infection from all the files (except those with the .bak extension) in each directory.
3. All modified files are backed up using the .bak extension.
4. Removes all files with paths ending in /images/image.php or /images/gifimg.php.
5. Runs in report mode by default, so you can see which files would be modified.
6. Has a “verbose” option, so you can see how each file will be modified.

It does not change directory permissions. I haven’t got around to investigating that area yet.

You may download it here. (Use at your own risk.)

Instructions for use

  1. Place the file scan_files.php at your web document root.
  2. Invoke it with no parameters to run it in report mode, where no modifications will be made.
  3. Use scan_files.php?v=1 to run it in verbose mode.
  4. Use scan_files.php?u=1 to run it in update mode, where the modifications will actually be made.
  5. Use scan_files.php?u=1&v=1 to run it in both update and verbose modes.

51 Comments »

  1. great post, thanks Daniel

    Comment by Billy R — May 20, 2009 @ 11:54 am

  2. […] password, and begin to remove the infected code/files. A more comprehensive guide can be found at: http://www.danielansari.com/wordpress/2009/05/automatic-removal-of-gumblarmartuz-trojan/ and general Q&A can be found at: […]

    Pingback by Trojan virus spreading. Are you affected? — May 20, 2009 @ 12:56 pm

  3. I’ll give it a try…thanks dude!

    Comment by Juan — May 20, 2009 @ 3:19 pm

  4. Hi Daniel, thanks for writing the script. I am having a little trouble running it though. I get this error after a certain point

    Warning: fopen(/home/**/public_html/documentation/jscript/select_infected_dont_use.dd.bak) [function.fopen]: failed to open stream: Permission denied in /home/**/public_html/scan_files.php on line 87
    Cannot open file (/home/**/public_html/documentation/jscript/select_infected_dont_use.dd.bak)

    I tried adjusting the permissions of scan_files.php but had no luck.

    Comment by Gene M — May 20, 2009 @ 11:26 pm

  5. Hi Dan,
    Gene again. It appears to have problems on my site with permissions. I have to keep granting access to each .bak file. I have 60 thousands files, is there a way to run the script without running into the above error?

    Thanks Big time!!!!!

    Warning: fopen(/home/**/public_html/documentation/jscript/select_infected_dont_use.dd.bak) [function.fopen]: failed to open stream: Permission denied in /home/**/public_html/scan_files.php on line 87
    Cannot open file (/home/**/public_html/documentation/jscript/select_infected_dont_use.dd.bak)

    Comment by Gene M — May 21, 2009 @ 12:33 am

  6. Hi Gene, if you don’t need the script to create the .bak files, I would comment out lines 87-97. You could get a backup of your current site via your normal backup method.

    However, if this script cannot create the .bak file, will it be able to overwrite the infected files with the cleaned ones? You may still have a permissions problem. Please let me know, and good luck.

    Comment by admin — May 21, 2009 @ 10:16 am

  7. Hello Gene, thanks for the script. It’s a mnasty virus. Because of two specific modified dates I was warned; after running the script, the files were not cleaned. index.php and index2.php. And /images/gifimp.php still contains strange code like:

    Any suggestions?

    Comment by Jorritdj — May 22, 2009 @ 7:35 am

  8. The linked script is what I have been using to clean the sites I have come across recently. It is ugly, but works fairly well. Needs shell access with perl installed.

    http://pastie.org/486369

    Comment by FraX — May 22, 2009 @ 8:32 am

  9. I came across the actual script used to inject the code to sites. You all may find it useful to determine exactly what it does.

    http://pastie.org/487144

    Comment by FraX — May 23, 2009 @ 1:00 am

  10. this site was hacked and your script seemed to clear it up. Thanks. Do you know how to find the original infecting file? I tried scanning for PAYLOAD from pastie.org listing on original file, but didn’t find anything. Thanks

    Comment by rfd — May 23, 2009 @ 3:29 am

  11. Thanks Dan,

    I’ll give this is a try and let you know how I fair out.

    Comment by Gene M — May 23, 2009 @ 12:31 pm

  12. […] password, and begin to remove the infected code/files. A more comprehensive guide can be found at: Daniel Ansari’s blog Automatic removal of Gumblar/Martuz trojan and general Q&A can be found at: ScanSafe STAT Blog – ScanSafe STAT Blog – GumblarQ&A […]

    Pingback by Trojan virus spreading. Are you affected? - Parajsa Shqiptare Forum — May 23, 2009 @ 1:48 pm

  13. Thank you very much, it helped me alot.

    Comment by Eliran — May 23, 2009 @ 4:14 pm

  14. Thanks Daniel. Script worked great on my server. Saved me hours of manual fixing.

    Comment by carlitobrown — May 23, 2009 @ 5:08 pm

  15. Thank you for all your hard work, Daniel. Well done. Much appreciated.

    Comment by I Lee — May 23, 2009 @ 7:43 pm

  16. Here is a more recent version of my removal one-liner. It implements a few changes learned from the infection code.

    http://pastie.org/487867

    Comment by FraX — May 24, 2009 @ 1:53 am

  17. I found variants of this nuisance on about 15 websites I made hosted on five different hosting companies! Occasionally that virus is even infecting other files under / – for example the /error-docs and /httpsdocs folder! – not only /httpdocs or /public_html. Unfortunately I did not find any good information yet on how to prevent from being infected by such viruses – that is how to effectively make use of for example .htaccess files to secure one’s web…

    Comment by Roman — May 24, 2009 @ 6:37 am

  18. I have clear gumblar virus in my site and uploaded but still showing reported attack site in Firefox browser only.

    Comment by Bala — May 25, 2009 @ 1:44 am

  19. Bala, you need to request a review of your site from Google to have this cleared. Go to Google Webmaster Tools and create an account/add your site if you haven’t done so already. From the overview section, you can request a review. In the 3 cases I’ve done this, my site was cleared within a day.

    Comment by admin — May 25, 2009 @ 6:38 am

  20. This question is for Pastie.org. how did you come across the original infecting file you posted? Did they leave it on your site?

    Comment by rfd — May 25, 2009 @ 10:51 pm

  21. Hi Daniel,
    Excellent post and nice script also. I have added a link to your post on my Blog post about Gumblar
    Cheers,
    Dave

    Comment by dave — May 27, 2009 @ 3:54 am

  22. I’m not pastie.org (it’s just a pasting/sharing site). The script was found on a compromised server that was used to infect further sites.

    Comment by FraX — May 28, 2009 @ 12:48 am

  23. Thank you. This is a huge help. I’ve got some problems on an undeveloped, unpublished, and not yet promoted (thankfully) blog that I have put a LOT of work into. Of course, this got gumblar on it somehow (not sure how yet). It will be nice to remove it.

    Comment by Geoff Kegerreis — May 28, 2009 @ 2:39 pm

  24. I am infected and have downloaded the script. Can anyone tell me exactly what to do with it now? I am a website rookie and am not sure how to run the script to clean my site. Any help would be GREATLY appreciated!

    Thanks,

    KEvin

    Comment by Kevin — May 29, 2009 @ 11:30 am

  25. Kevin, instructions are given in the main posting. If your site is http://www.foobar.com and you place the script at your document root, run it as http://www.foobar.com/scan_files.php?u=1 to run it in update mode (or see instructions for how to run it in the other modes). Good luck!

    Comment by admin — May 29, 2009 @ 12:54 pm

  26. Thanks, I had 4 sites with hundreds of file hosted on the same server all infected with this Gumblar trojan and your script cleaned everything up within a minute. It worked better than I expected. Thanks again.

    Comment by Jay — May 31, 2009 @ 11:42 pm

  27. this script is useless since the malware morph and its variations are vast. the only tool that really does the job cost money Hyper XR or HyperXR something like that. ended up wasting two weeks of time for not spending couple dollars, in employee time cost us more.

    Comment by Jason — June 2, 2009 @ 9:56 pm

  28. oh the link: http://www.hyperxr.com … LOL no affiliate links…!

    Comment by Jason — June 2, 2009 @ 9:57 pm

  29. I really liked this post. Can I copy it to my site? Thank you in advance.

    Comment by AndrewBoldman — June 4, 2009 @ 9:00 am

  30. thanks for this post…

    Comment by Bert Padilla — June 7, 2009 @ 6:09 pm

  31. […] Daniel Ansari blog Automatic removal of Gumblar Martuz trojan Posted by root 5 hours ago (http://www.danielansari.com) Comment by i lee may 23 2009 7 43 pm here is a more recent version of my removal one liner it implements a few changes learned from the infection Discuss  |  Bury |  News | Daniel Ansari blog Automatic removal of Gumblar Martuz trojan […]

    Pingback by Daniel Ansari blog Automatic removal of Gumblar Martuz trojan | Weak Bladder — June 7, 2009 @ 8:33 pm

  32. Hi Daniel,

    I’m a webmaster noob and was lucky to come accross your site today. I’ve run your script and it seemed to work fine. How can I tell for sure if the virus has been eradicated from the site>?? I want to resubmit to google asap.

    Thanks,
    Tom
    http://www.dalfast.com

    Comment by Tom Dalton — June 8, 2009 @ 12:04 pm

  33. Hi Daniel

    Is there any way you could make the script so that peoples could change what the script looks for.
    For example peoples could write the string to look for in their site files in a txt file and the scan_files could also read that string from that particular txt file.
    Because from what I see on every hacked site,the code is different, now i see they are placing an iframe with a flash file
    the code looks like this instead of iame is iframe and after http the site is always different

    Comment by octavian — June 12, 2009 @ 8:11 am

  34. PS the system deleted the code

    iame src= hxxp://.cn:8080/index.php width=178 height=178 style=visibility: hidden instead of iame is iframe and after http the site is always different

    Comment by octavian — June 12, 2009 @ 8:12 am

  35. I just tried your scan – It did a great job identifying infected pages – I cleaned them myself. Thank you!

    Comment by Tobe — July 6, 2009 @ 2:10 pm

  36. Daniel,

    I just tried it and it listed all the directories it was opening, then it said Files: but nothing listed there, then the next directory. It did this over and over for every directory. No cr lf.
    I didn’t receive any errors or permission denied notices. I checked some of the files and they are still infected. What should I try next?

    Comment by fjh — July 8, 2009 @ 11:02 pm

  37. Daniel,
    Just tried to run your script on my infected website, but it doesn’t pick up all the infected files. I am new to PHP, maybe I need to modify the regex, if so how do I do so?
    The script I am trying to get rid of is:

    Thanks,
    Aina.

    Comment by Aina — July 12, 2009 @ 10:31 pm

  38. Sorry,

    The post with the script got truncated:

    Aina.

    Comment by Aina — July 12, 2009 @ 10:32 pm

  39. Daniel,

    This post doesn’t seem to let me copy in the piece of JavaScript I am trying to get rid of on my website…
    Not sure how to include it here…

    Aina.

    Comment by Aina — July 12, 2009 @ 10:34 pm

  40. fjh, I would guess that the script isn’t detecting the trojan in any of your files. I would check the regex – try passing it into an online regex checker along with an infected part of one of your files.

    Comment by admin — July 12, 2009 @ 11:51 pm

  41. Aina, please paste your code at http://pastie.org and post the link back here, then I’ll take a look.

    Comment by admin — July 12, 2009 @ 11:54 pm

  42. Hi Daniel,

    This is the bit I am trying to get rid of and the scan_files.php is not picking it up in all the files:
    http://pastie.org/543861
    Maybe I need to modify the regular expression, been Googling my way through my first day in PHP.

    Thanks,
    Aina.

    Comment by Aina — July 13, 2009 @ 1:35 am

  43. Daniel,

    Which online regex checker are you referring to?

    Thanks,
    Aina.

    Comment by Aina — July 13, 2009 @ 1:36 am

  44. Hello Daniel,

    I was attempting to use your script but when placed in the root directory of my website on a linux machine it recurses all the way back starting with /

    Is there any way that I can make it scan only the directory in which I placed it in?

    Comment by Buddy Patton — August 13, 2009 @ 4:18 pm

  45. THANK YOU!

    Your php script did an awesome work, i have now cleaned up what was a total mess! Thank you!

    Comment by Jon — October 21, 2009 @ 7:06 am

  46. good article,but i your cleanin php tool didn’t work in my infected asp script 8windows server) do you have any thing for asp?

    Comment by dizi forum — November 8, 2009 @ 12:34 pm

  47. Thanks for the article,

    Unfortunately the link http://www.dynamicdrive.com/forums/showthread.php?p=194695 is now dead. Can anyone refer me to an updated link please.

    thanks

    Comment by Mark — November 16, 2009 @ 8:08 am

  48. dizi forum: Sorry, this script is PHP only – you would have to translate it to ASP(.NET).

    Comment by admin — November 16, 2009 @ 8:19 am

  49. Mark, I searched Dynamic Drive forums and unfortunately there’s nothing at all on Gumblar there. I don’t know whether another site may have the same content. It wasn’t an essential link.

    I looked back and found that Jason’s comment here: http://blog.unmaskparasites.com/2009/05/07/gumblar-cn-exploit-12-facts-about-this-injected-script/comment-page-1/#comment-817 had something similar to the content on that Dynamic Drive page.

    Comment by admin — November 16, 2009 @ 8:52 am

  50. […] expressions and removes them. Download php removal code here original creater and instructions here if some php guru can contact me and help me modify the script (with the regulars expresions that […]

    Pingback by WARNING. NEW FIREZILLA HACK - AskDamageX.com Webmaster Forum — December 10, 2009 @ 4:30 am

  51. To remove the gumblar virus on a web root use the perl script given http://digitalpbk.com/virus/gumblar-web-virus-manual-removal-free-tool

    Comment by digitalpbk — March 31, 2010 @ 8:22 am

RSS feed for comments on this post. TrackBack URL

Leave a comment

Powered by WordPress