What malware is this PHP/Spy.Ettu.D?

See: http://www.virustotal.com/url-scan/report.html?id=5b299448edf87561c93d8b1047e44b6a-1324680110
and
http://www.virustotal.com/file-scan/report.html?id=2bcc7261416bcef8da36472e889404cc2d11e8063dbbd70e85585e11c075bfa4-1324683825
See: http://urlquery.net/queued.php?id=13312 verdict malicious
Nothing here: http://www.urlvoid.com/scan/picasa.com.a.turbosito.com
Also nothing at sucuri’s.
Avast should detect this as VBS:Malware-gen,

polonus

What malware is this PHP/Spy.Ettu.D?
PHP script virus http://www.sophos.com/en-us/security-news-trends/glossary.aspx#php

This decodes to this.
This decodes to this
And this decodes to this.

Thanks to that ‘link’ you gave me. :wink:
Clearly this file echos coding into a file.

Edited because of having slight troubles with PhotoBucket, hopefully fixed now.

Hi Donovansrb10,

Thank you, my young friend. This time that online tool works like a charm ;D, so good de-obfuscation results. Yes here at these forums we teach the young to be better protected ::),

pol

Worked like a charm. :slight_smile:

By the way, what kind of coding is ‘eval(gzinflate(base64_decode’? I don’t get how browsers would be able to decode it. Just looks like jumbled letters with backslashes and plus signs. ???

Hi Donovansrb10,

For a browser there is no problem to render it. We need some extra pair of glasses ;D eh…decoders I mean. Wordpress themes with this kind of code in footer php for instance should always be distrusted. Read here: http://www.techfreakstuff.com/2009/07/what-encrypted-code-wordpress-themes-evalgzinflatebase64_decode.html link author = Rohit Sane
This can be used by webmasters to scan the authenticity of their themes code:
http://wordpress.org/extend/plugins/tac/ tac = Theme Authenticity Checker,

polonus