Home / malware PHP.Anuna
First posted on 20 November 2015.
Source: SymantecAliases :
There are no other names known for PHP.Anuna.
Explanation :
The Trojan's malicious code has been seen to be added to WordPress PHP files on compromised web servers. The attackers may have used another tool or script to add this heavily obfuscated malicious code to the affected files.
The Trojan connects to the following remote locations: 33db9538.com9507c4e8.come5b57288.com54dfa1cb.com
Next, the Trojan receives malicious code from these remote locations and injects it into the body of a web page.
The Trojan does not perform any malicious activities if the PHP file's User Agent has one of the following strings: googleslurpmsnbotia_archiveryandexrambler
The Trojan also doesn't act if the PHP file name has the following string: admin
The Trojan then sends the following information about compromised PHP files to the remote locations: User AgentHTTP referrerHTTP hostRemote IP addressInfected PHP file name
If a user visits a web page containing an infected PHP file, then malicious code may execute on their computer.Last update 20 November 2015