ClearJSTR.php

ClearJSTR.php

<?php
/**
 * @author M1zh0rY
 * @copyright 2012. ComplexMedia && Mizhory
 * @category clear-script
 * @version 2.3
 * @license GNU
 * 
 * Script for clearing of your site of a virus/trojan:
 * 
 *  - JS/Agent.NEK
 *  - Trojan-Downloader.JS.Agent.gny 
 *  - JS/Kryptik.JE
 *  - others
 * 
 * steps:
 *  - find infected JS
 *  - save in static var (list infected JS)
 *  - get static var (list infected JS)
 *  - load js from array var (list infected JS)
 *  - edit js
 *  - rename old file not ext
 *  - save new file without infected code                                                      
 */
//---------------------------------------------
// 09.04.12 18:47 Malware signature:  ---------
//---------------------------------------------
// \x66r\x6fm\x43h\x61\x72\x43\x6fd\x65  ------
//---------------------------------------------
// \x66r\x6fm\x43h\x61\x72\x43\x6fd\x65  ------
//---------------------------------------------
// c\x68a\x72\x43o\x64\x65\x41\x74  -----------
//---------------------------------------------
//
error_reporting(0);
$list_js_files = Array();
$abstracted_infected_code = Array(
"\x68",
"\x61r",
"\x43o",
"\x64",
"\x65At",
"\x43",
"\x61rCod",
"\x86",
"\x61",
"\x65",
"\x66r",
"\x6fm",
"\x43h",
"\x72",
"\x6fd",
"\x68a",
"\x43o",
"\x41",
"\x74"
);
$start_path = dirname(__FILE__) . DIRECTORY_SEPARATOR;
find_infected_JS(realpath($start_path));
function find_infected_JS($path){
	global $abstracted_infected_code;
	
	if(is_dir($path)):
		$dir = opendir($path);
		while($item = readdir($dir)):
			if ($item == '.' || $item == '..'):
				continue;
			endif;
			find_infected_JS($path.'/'.$item);
		endwhile;
		closedir($dir);
	else:
		if(substr($path,-3) == '.js'):
			$file_code = file_get_contents($path);
			$file_code = str_replace("\r\n", "\n", $file_code);
			for($i=0;count($abstracted_infected_code)>$i;$i++):
				if(strpos($file_code, $abstracted_infected_code[$i])):
					save_list($path, $abstracted_infected_code[$i]);
					break;
				endif;
			endfor;
		endif;
	endif;
}
function save_list($js_file, $infected_code){
	global $list_js_files;
	$list_js_files[] = Array(
		"code"	=>	$infected_code,
		"file"	=>	$js_file
	);
	return null;
}
function load_js_file($js_file, &$ret_js_code){
	return $ret_js_code = file ($js_file);
}
function edit_js($js_code, $infected_code, &$new_js_code){
	for($i=0;count($js_code)>$i;$i++){
		if(strpos($js_code[$i], $infected_code)):
			$line = $i;
			break;
		endif;
	}
	unset($js_code[$i]);
	return $new_js_code = implode("", $js_code);
}
function rename_old_js_file($js_file){
	$pathArr = explode("/", $js_file);
	
	$file_name_old = explode(".", $pathArr[count($pathArr)-1]);
	$file_name_old = "_".$file_name_old[0];
	
	unset($pathArr[count($pathArr)-1]);
	
	$path_fileold = implode("/", $pathArr)."/".$file_name_old;
	
	return copy($js_file, $path_fileold);
}
function save_new_js_file($js_file, $js_code){
	$res = fopen($js_file, "w");
	fwrite($res, $js_code);
	fclose($res);
	chmod($js_file, 0644);
}
for($i=0;count($list_js_files)>$i;$i++):
	load_js_file($list_js_files[$i]['file'], $ret_js_code);
	edit_js($ret_js_code, $list_js_files[$i]['code'], $new_js_code);
	rename_old_js_file($list_js_files[$i]);
	save_new_js_file($list_js_files[$i], $new_js_code);
endfor;
exit();

#; EOF