From 04ea940ccddac5de07755df4443eff47ea08ec2a Mon Sep 17 00:00:00 2001
From: Justin Grimes <zelon88@gmail.com>
Date: Mon, 25 Mar 2019 22:17:54 -0400
Subject: [PATCH] v3.1 - PHP-AV to v3.9. Add SHA1 detection, code samples.

-v3.1.
-PHP-AV App to v3.9. Defs to v4.7.
-Add support for SHA1 hash detection ($data3, $virus[4]).
-Add code detection for lots of malicious files.
-Includes malicious code samples for Golang, Python, C++, node.js, Java, Javascript, PowerShell, Ruby, VBS & more.
-Fix obscenely large logfiles by removing filename logging during scanning.
-To continue logging filenames like before (and generate really large log files) set $CONFIG['debug'] = True;
-Fixed indented code blocks.
-Bump included WordPress version to v5.1.1 (latest).
---
 Applications/PHP-AV/PHP-AV-Lib.php |  93 ++++++++++-------
 Applications/PHP-AV/PHP-AV.php     |   7 +-
 Applications/PHP-AV/virus.def      | 159 ++++++++++++++++++++++++++++-
 3 files changed, 217 insertions(+), 42 deletions(-)

diff --git a/Applications/PHP-AV/PHP-AV-Lib.php b/Applications/PHP-AV/PHP-AV-Lib.php
index 5abe68ef..3dc367cf 100644
--- a/Applications/PHP-AV/PHP-AV-Lib.php
+++ b/Applications/PHP-AV/PHP-AV-Lib.php
@@ -45,49 +45,60 @@ function virus_check($file, $defs, $debug, $defData) {
   $filecount++;
   if ($file !== $InstLoc.'/Applications/PHP-AV/virus.def') {
     if (file_exists($file)) { 
-      $txt = 'Scanning file '.$file.' ... ';
-      $MAKELogFile = file_put_contents($AVLogFile, $txt.PHP_EOL, FILE_APPEND);
+      if ($debug) { 
+        $txt = 'Scanning file '.$file.' ... ';
+        $MAKELogFile = file_put_contents($AVLogFile, $txt.PHP_EOL, FILE_APPEND); }
       $filesize = filesize($file);
       $data1 = hash_file('md5', $file);
       $data2 = hash_file('sha256', $file);
+      $data3 = hash_file('sha1', $file);
       // / Scan files larger than the memory limit by breaking them into chunks.
       if ($filesize >= $memoryLimit && file_exists($file)) { 
-        $txt = 'Chunking file ... ';
-        $MAKELogFile = file_put_contents($AVLogFile, $txt.PHP_EOL, FILE_APPEND);
+        if ($debug) { 
+          $txt = 'Chunking file ... ';
+          $MAKELogFile = file_put_contents($AVLogFile, $txt.PHP_EOL, FILE_APPEND); }
         $handle = @fopen($file, "r");
-          if ($handle) {
-            while (($buffer = fgets($handle, $chunkSize)) !== false) {
-              $data = $buffer; 
-              if ($debug) { 
-                $txt = 'Scanning chunk ... ';
-                $MAKELogFile = file_put_contents($AVLogFile, $txt.PHP_EOL, FILE_APPEND); }
-              foreach ($defs as $virus) {
-                $virus = explode("\t", $virus[0]);
-                if (isset($virus[1]) && $virus[1] !== '' && $virus[1] !== ' ') {
-                  if (strpos($data, $virus[1]) or strpos($file, $virus[1])) {
-                    // File matches virus defs.
-                    $txt = 'Infected: '.$file.' ('.$virus[0].', Data Match: '.$virus[1].')';
-                    $MAKELogFile = file_put_contents($AVLogFile, $txt.PHP_EOL, FILE_APPEND);
-                    $report .= '<p class="r">'.$txt.'</p>';
-                    $infected++;
-                    $clean = 0; } } } }
-            if (!feof($handle)) {
-              $txt = 'ERROR!!! PHPAV160, Unable to open '.$file.' on '.$Time.'!';
-              $MAKELogFile = file_put_contents($AVLogFile, $txt.PHP_EOL, FILE_APPEND);
-              $report .= '<p class="r">'.$txt.'</p>'; }
+        if ($handle) {
+          while (($buffer = fgets($handle, $chunkSize)) !== false) {
+            $data = $buffer; 
+            if ($debug) { 
+              $txt = 'Scanning chunk ... ';
+              $MAKELogFile = file_put_contents($AVLogFile, $txt.PHP_EOL, FILE_APPEND); }
+            foreach ($defs as $virus) {
+              $virus = explode("\t", $virus[0]);
+              if (isset($virus[1]) && $virus[1] !== '' && $virus[1] !== ' ') {
+                if (strpos($data, $virus[1]) or strpos($file, $virus[1])) {
+                  // File matches virus defs.
+                  $txt = 'Infected: '.$file.' ('.$virus[0].', Data Match: '.$virus[1].')';
+                  $MAKELogFile = file_put_contents($AVLogFile, $txt.PHP_EOL, FILE_APPEND);
+                  $report .= '<p class="r">'.$txt.'</p>';
+                  $infected++;
+                  $clean = 0; } } } }
+          if (!feof($handle)) {
+            $txt = 'ERROR!!! PHPAV160, Unable to open '.$file.' on '.$Time.'!';
+            $MAKELogFile = file_put_contents($AVLogFile, $txt.PHP_EOL, FILE_APPEND);
+            $report .= '<p class="r">'.$txt.'</p>'; }
           fclose($handle); } 
-          if (isset($virus[2]) && $virus[2] !== '' && $virus[2] !== ' ') {
-            if (strpos($data1, $virus[2])) {
+        if (isset($virus[2]) && $virus[2] !== '' && $virus[2] !== ' ') {
+          if (strpos($data1, $virus[2])) {
+            // File matches virus defs.
+            $txt = 'Infected: '.$file.' ('.$virus[0].', MD5 Hash Match: '.$virus[2].')';
+            $MAKELogFile = file_put_contents($AVLogFile, $txt.PHP_EOL, FILE_APPEND);
+            $report .= '<p class="r">'.$txt.'</p>';
+            $infected++;
+            $clean = 0; } }
+          if (isset($virus[3]) && $virus[3] !== '' && $virus[3] !== ' ') {
+            if (strpos($data2, $virus[3])) {
               // File matches virus defs.
-              $txt = 'Infected: '.$file.' ('.$virus[0].', MD5 Hash Match: '.$virus[2].')';
+              $txt = 'Infected: '.$file.' ('.$virus[0].', SHA256 Hash Match: '.$virus[3].')';
               $MAKELogFile = file_put_contents($AVLogFile, $txt.PHP_EOL, FILE_APPEND);
               $report .= '<p class="r">'.$txt.'</p>';
               $infected++;
               $clean = 0; } }
-           if (isset($virus[3]) && $virus[3] !== '' && $virus[3] !== ' ') {
-            if (strpos($data2, $virus[3])) {
+          if (isset($virus[4]) && $virus[4] !== '' && $virus[4] !== ' ') {
+            if (strpos($data3, $virus[4])) {
               // File matches virus defs.
-              $txt = 'Infected: '.$file.' ('.$virus[0].', SHA256 Hash Match: '.$virus[3].')';
+              $txt = 'Infected: '.$file.' ('.$virus[0].', SHA1 Hash Match: '.$virus[4].')';
               $MAKELogFile = file_put_contents($AVLogFile, $txt.PHP_EOL, FILE_APPEND);
               $report .= '<p class="r">'.$txt.'</p>';
               $infected++;
@@ -116,14 +127,22 @@ function virus_check($file, $defs, $debug, $defData) {
               $report .= '<p class="r">'.$txt.'</p>';
               $infected++;
               $clean = 0; } }
-           if (isset($virus[3]) && $virus[3] !== '' && $virus[3] !== ' ') {
-            if (strpos($data2, $virus[3])) {
+            if (isset($virus[3]) && $virus[3] !== '' && $virus[3] !== ' ') {
+              if (strpos($data2, $virus[3])) {
                 // File matches virus defs.
-              $txt = 'Infected: '.$file.' ('.$virus[0].', SHA256 Hash Match: '.$virus[3].')';
-              $MAKELogFile = file_put_contents($AVLogFile, $txt.PHP_EOL, FILE_APPEND);
-              $report .= '<p class="r">'.$txt.'</p>';
-              $infected++;
-               $clean = 0; } } }
+                $txt = 'Infected: '.$file.' ('.$virus[0].', SHA256 Hash Match: '.$virus[3].')';
+                $MAKELogFile = file_put_contents($AVLogFile, $txt.PHP_EOL, FILE_APPEND);
+                $report .= '<p class="r">'.$txt.'</p>';
+                $infected++;
+                $clean = 0; } } 
+            if (isset($virus[4]) && $virus[4] !== '' && $virus[4] !== ' ') {
+              if (strpos($data3, $virus[4])) {
+                // File matches virus defs.
+                $txt = 'Infected: '.$file.' ('.$virus[0].', SHA1 Hash Match: '.$virus[4].')';
+                $MAKELogFile = file_put_contents($AVLogFile, $txt.PHP_EOL, FILE_APPEND);
+                $report .= '<p class="r">'.$txt.'</p>';
+                $infected++;
+                $clean = 0; } } }
          if (($debug) && ($clean)) {
           $report .= '<p class="g">Clean: '.$file.'</p>'; } } }
 // / -----------------------------------------------------------------------------------
diff --git a/Applications/PHP-AV/PHP-AV.php b/Applications/PHP-AV/PHP-AV.php
index c092d80b..f2004815 100644
--- a/Applications/PHP-AV/PHP-AV.php
+++ b/Applications/PHP-AV/PHP-AV.php
@@ -3,7 +3,7 @@
 /*//
 HRCLOUD2-PLUGIN-START
 App Name: PHP-AV
-App Version: v3.8 (8-21-2018 00:00)
+App Version: v3.9 (3-25-2019 00:00)
 App License: GPLv3
 App Author: FujitsuBoy (aka Keyboard Artist) & zelon88
 App Description: A simple HRCloud2 App for scanning files for viruses.
@@ -48,7 +48,7 @@
 
     // / -----------------------------------------------------------------------------------
     // / The following code sets the variables for the session.
-    $versions = 'PHP-AV App v3.8 | Virus Definition v4.6, 8/1/2018';
+    $versions = 'PHP-AV App v3.9 | Virus Definition v4.7, 3/25/2019';
     $memoryLimitPOST = str_replace(str_split('~#[](){};:$!#^&%@>*<"\''), '', $_POST['AVmemoryLimit']);
     $chunkSizePOST = str_replace(str_split('~#[](){};:$!#^&%@>*<"\''), '', $_POST['AVchunkSize']);
     $report = '';
@@ -56,10 +56,9 @@
     $filecount = 0;
     $infected = 0;
     $CONFIG = Array();
-    $CONFIG['debug'] = 0;
+    $abort = $CONFIG['debug'] = FALSE;
     $CONFIG['scanpath'] = $_SERVER['DOCUMENT_ROOT'];
     $CONFIG['extensions'] = Array();
-    $abort = FALSE;
     $AVLogDir = $InstLoc.'/DATA/'.$UserID.'/.AppData/'.$Date;
     $AVLogFile = $AVLogDir.'/PHPAV-'.$SesHash.'-'.$Date.'.txt';
     $AVLogURL = str_replace(str_split('~#[](){};$!#^&%@>*<"\''), '', '/HRProprietary/HRCloud2/DATA/'.$UserID.'/.AppData/'.$Date.'/PHPAV-'.$SesHash.'-'.$Date.'.txt');
diff --git a/Applications/PHP-AV/virus.def b/Applications/PHP-AV/virus.def
index f8be3a9a..751df534 100644
--- a/Applications/PHP-AV/virus.def
+++ b/Applications/PHP-AV/virus.def
@@ -714,6 +714,163 @@ Trojan Disttrak.31	vdsk911.sys
 Trojan Disttrak.32	ntertmgr32.exe
 Trojan Disttrak.33	ntertmgr64.exe
 Trojan Disttrak.34	usbvideo324.pnf
+Trojan Ruby.1	if first_line != virus_top	b727b40999396587cf41dcb0e0a65ec0	131fa083cb8cd7ed02f48f4fba0f5190ea60d700031c00542c366097b4657463
+Trojan Ruby.2	= '#0x3a'
+Trojan Ruby.3	w.call(FUScaZXvqH,
+Trojan Ruby.4	FzJnoy
+Trojan Ruby.5	WMIC.exe shadowcopy delete
+Trojan Ruby.6	vssadmin.exe delete shadows
+Trojan Ruby.7	Bcdedit.exe /set {default} recoveryenabled no
+Trojan Ruby.8	Bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
+Trojan Ruby.9	cmd.exe /C wevtutil.exe cl
+Trojan PowerShell.1	110.10.179.65:80			638b7b0536217c8923e856f4138d9caff7eb309d
+Trojan PowerShell.2	download/microsoftp.jpg			d30e8c7543adbc801d675068530b57d75cabb13f
+Trojan PowerShell.3	<Command>mshta.exe</Command>			973b1ca8661be6651114edf29b10b31db4e218f7
+Trojan PowerShell.4	syscheck.vbs			691686839681adb345728806889925dc4eddb74e
+Trojan PowerShell.5	SndVolSSO.txt			3cf4b44c9470fb5bd0c16996c4b2a338502a7517
+Trojan PowerShell.6	activator.ps1:log.txt
+Trojan PowerShell.7	sunjavascheduler.txt
+Trojan PowerShell.8	Const HIDDEN_WINDOW = 12
+Trojan PowerShell.9	("/OGaaaaa6ytd
+Trojan PowerShell.10	kb-10233.exe
+Trojan PowerShell.11	product_info.dll
+Trojan PowerShell.12	208.67.222.222:53
+Trojan PowerShell.13	teriava.com
+Trojan PowerShell.14	$$cpte
+Trojan PowerShell.15	$$ecpte
+Trojan PowerShell.16	testObj.Remove 1
+Trojan PowerShell.17	kerberos::tgt exit
+Trojan PowerShell.18	logonpasswords exit
+Trojan PowerShell.19	sekurlsa
+Trojan PowerShell.20	lsadump::sam exit
+Trojan PowerShell.21	kerberos:ptt
+Trojan PowerShell.22	c:\programdata\log.dat
+Trojan CPP.1	SetWindowsHookEx(WH_CBT, msgBoxHook, 0, GetCurrentThreadId());
+Trojan CPP.2	enablePayloads
+Trojan CPP.3	waveOutOpen(&hwo, WAVE_MAPPER, &fmt, NULL, NULL, CALLBACK_NULL);
+Trojan CPP.4	BY THE MEMZ TROJAN.
+Trojan CPP.5	KILLMSGS,
+Trojan CPP.6	"KillMessages"
+Trojan CPP.7	\nYour PC is
+Trojan CPP.8	Sleep(payloads[p].startDelay);
+Trojan CPP.9	HANDLE note = CreateFileA("\\note.txt", GENERIC_READ | GENERIC_WRITE,1
+Trojan CPP.10	considered malware.\r\n\
+Trojan CPP.11	CreateThread(NULL, NULL, &watchdogThread, NULL, NULL, NULL);
+Trojan CPP.12	LRESULT CALLBACK watchdogWindowProc(HWND hwnd, UINT uMsg, WPARAM wParam, LPARAM lParam);
+Trojan CPP.13	DWORD WINAPI ripMessageThread(LPVOID parameter) {
+Trojan CPP.14	void killWindows() {	5421781c2c05e64ef20be54e2ee32e37
+Trojan CPP.15	void killWindowsInstant() {	5394b09cf2a0b3d1caaecc46c0e502e3
+Trojan CPP.16	PUNICODE_STRING AccountName,	1a4d58e281103fea2a4ccbfab93f74d2
+Trojan CPP.17	OutputDebugString(L"PasswordFilter");	018433e8e815d9d2065e57b759202edc
+Trojan CPP.18	FILE* pFile = fopen("c:\\windows\\temp\\logFile.txt", "a+");	facec411b6d6aa23ff80d1366633ea7a
+Trojan Go.1	MAIL TO WHOEVER IS IMPORTANT
+Trojan Go.2	All your servers will be DDoS
+Trojan Go.3	We are Armada Collective.
+Trojan Go.4	struct scanner.PHP{
+Trojan Go.5	struct scanner.Service{
+Trojan Go.6	iface scanner.Dialer{
+Trojan Go.7	iface scanner.Scanner{
+Trojan Go.8	iface scanner.PHPExecutor{
+Trojan Go.9	struct scanner.ConnScanner {
+Trojan Go.10	struct scanner.HTTP {		0bf24e0bc69f310c0119fc199c8938773cdede9d1ca6ba7ac7fea5c863e0f099
+Trojan Go.11	struct scanner.HttpScanner{		3fcd17aa60f1a70ba53fa89860da3371a1f8de862855b4d1e5d0eb8411e19adf
+Trojan Go.12	struct scanner.Drupal{		513224149cd6f619ddeec7e0c00f81b55210140707d78d0e8482b38b9297fc8f
+Trojan Go.13	struct scanner.Wordpress {		941330c6be0af1eb94741804ffa3522a68265f9ff6c8fd6bcf1efb063cb61196
+Trojan Go.14	int main_main()		992ed9c632eb43399a32e13b9f19b769c73d07002d16821dde07daa231109432
+Trojan Go.15	tmweb.ru
+Trojan Go.16	"Ethereum-WalletFailed to find Failed
+Trojan Go.17	FindNextVolumeWFindVolume
+Trojan Go.18	"monero-keystorems: gomaxprocs=multipart
+Trojan Go.19	HyperCheats.rar
+Trojan Go.20	HyperCheats.zip
+Trojan Node.1	rawReq.write(JSON.stringify(body, null, 2))
+Trojan Node.2	var reproduce = function(target) {
+Trojan Node.3	var getEntryPoint = function(packageJSON) {		8b90859b19e3e3dea8d923996709210ed48ff3249563f56ff12eb1936ffcc295
+Trojan Node.4	var getTargets = function(targets, dir) {		afc100fb28f7bac05e41d9ae33f184502b8068642b7fd05970eb72bf1786892c
+Trojan Python.1	injecteex64	5ffefc13a49c138ac1d454176d5a19fd
+Trojan Python.2	injecteex86	b508908cc44a54a841ede7214d34aff3
+Trojan Python.3	MinerBlocker	e5ba5f821da68331b875671b4b946b56
+Trojan Python.4	proc = subprocess.Popen(data, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE)	596dc36cd6eabd8861a6362b6b55011a
+Trojan Python.5	SetValueEx(key ,'Adobe_ReaderX',0,REG_SZ,r"%TEMP%mw.exe")	645176c6d02bdb8a18d2a6a445dd1ac3
+Trojan Python.6	bablo39.php
+Trojan Python.7	188.225.18.203
+Trojan Python.8	@.*@ -> inject js/i.js
+Trojan Python.9	80 -> 24861
+Trojan Python.10	443 -> 24136
+Trojan Python.11	95.56.246.182
+Trojan Python.12	194.105.148.87
+Trojan Python.13	213.135.106.194
+Trojan Python.14	aWJhbmswbmVja2xhY2UucnU
+Trojan Python.15	b24saW51LmFsZWZiYW5rLnJ1
+Trojan Python.16	aWJhbmsuc3Bpcm10YmFuay5ydQ
+Trojan Python.17	dmJyci5ydQ
+Trojan Python.18	ZGJvMS51cmFsZm
+Trojan Python.19	b2ZjLnJ1
+Trojan Python.20	cm9kbmF5YXN2eWF6LnJ1
+Trojan Python.21	*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}
+Trojan Python.22	l.IsValidCodePage(587903595)
+Trojan Python.23	l.GetFileSize(4028719249,0)
+Trojan Python.24	A.SwitchDesktop(2761630931)
+Trojan Python.25	l.VerSetConditionMask(4023949374,975516802,3027135998,9930938)
+Trojan Python.26	l.GetFileType(4282997275)
+Trojan Python.27	C.glColor3ub(255, 255, 255)
+Trojan Python.28	a = [[(- 1), (- 1)], [(- 1), 1], [1, 1], [1, (- 1)]]
+Trojan Python.29	_fields_ = [('pt', c_ushort),
+Trojan Python.30	A.RegisterHotKey(3322104681,3081727047,2221883463,745264245)
+Trojan Python.31	_fields_ = [('Lt', c_ulong),
+Trojan Python.32	drunkdared=spokenbier+meantreads
+Trojan Python.33	R('Not an MZ image!')
+Trojan Python.34	villainweapon('echorough='+solehers)
+Trojan Python.35	R(("Failed to resolve the the '%s!%s' import" % (string_at(LO), string_at(mG))))
+Trojan Python.36	pupilabhorred="r"
+Trojan Python.37	villainweapon=exec
+Trojan Python.37	dmJyci5ydQ==
+Trojan Python.38	cnNoYi5ydQ==
+Trojan Python.39	Y2hhc2UuY29t
+Trojan Python.40	fellreels="r"
+Trojan Python.41	aS12dGIuYnk=
+Trojan Python.42	Z29zdXNsdWdpLnJ1
+Trojan Python.43	aWIuc2xzcC5zaw==
+Trojan Python.44	ZGVsdGEtb25saW5lLmt6
+Trojan Python.45	dWJyci5ydQ==
+Trojan Python.46	eWFyYmFuay5ydQ==
+Trojan Python.47	c21wb25iYW5rLnJ1
+Trojan Python.48	d3d3LnlhbmRleC5jb20=
+Trojan Python.49	aWJhbmsyLnJ1
+Trojan Python.50	YmFuay50YWF0dGEucnU=
+Trojan Python.51	b25saW5lLmJtLnJ1
+Trojan Python.52	YWxiYW5rLnJ1
+Trojan Python.53	YnNiLmJ5
+Trojan Python.54	aWJhbTI0LnJ1
+Trojan Python.55	bW1iYW5rLnJ1
+Trojan Python.56	YXZiYW5rLnJ1
+Trojan Python.57	if (c.cd) eval(c01(c10(bd(c.cd))));
+Trojan Python.58	googletagmanage.com
+Trojan Python.59	h = JSON.parse(h);
+Trojan Python.60	eval(c01(c10(bd(html.cd))));
+Trojan Python.61	var exec = "di9+aC83PHA=";
+Trojan Python.62	1e22b;CertFreeCertificateChain->51380;5
+Trojan Python.63	1c8b6;WSAConnectByNameA->50c60;5
+Trojan Python.64	value = text.value # Dump the content in value
+Trojan Python.65	get_keystrokes(log_dir, log_name):
+Trojan Python.66	keylogger.get_keystrokes(log_dir, log_name)
+Trojan Python.67	elif i == 0x0d: # If <ENTER>, log the line typed then clear the line variable
+Trojan VBS.1	SmallPlasticKeyboard7 = Round(447)
+Trojan VBS.2	Avon82 = Round(608)
+Trojan VBS.3	backingup43 = "Web"
+Trojan VBS.4	copy23 = Round(MoneyMarketAccount37)
+Trojan VBS.5	Function reboot5()
+Trojan VBS.6	withdrawal60 = Round(412)
+Trojan VBS.7	"_4@http:"
+Trojan VBS.8	AwesomeSteelComputer16 = "nde.com.br"
+Trojan VBS.9	Metal33 = "2@http:/"
+Trojan VBS.10	reboot5 = withdrawal2 + ComputersGardenBooks30 + BooksGroceryBeauty50
+Trojan VBS.11	compelling69 = "" + program71 + GroceryBeauty72
+Trojan Java.1	<title>AhMyth</title>
+Trojan Java.2	assertEquals("ahmyth.mine.king.ahmyth", appContext.getPackageName());
+Trojan JS.1	victimsList.addVictim(
+Trojan JS.2	victimsList.getVictim(index).socket;
+Trojan JS.3	send("SocketIO:VictimDisconnected");
 Crazy Toolbar IE Exploit	crazy-toolbar.com
 JS.Scob.Trojan	217.107.218.147
 Liber Inc. Exploit	advadmin.biz
@@ -2169,4 +2326,4 @@ Known Ransomware Host: RigEK.2	hdyejdn638ir8.com
 Known Ransomware Host: RigEK.3	parking-services.us
 Known Ransomware Host: RigEK.4	188.225.78.226
 Known Ransomware Host: RigEK.5	188.225.35.5
-Known Ransomware Host: RigEK.6	wdwefwefwwfewdefewfwefw.onion
+Known Ransomware Host: RigEK.6	wdwefwefwwfewdefewfwefw.onion
\ No newline at end of file