Gumblar.cn

Gumblar.cn is the latest PC threat out there – believed to be spreading even faster than the recent Conficker virus did.

Gumblar.cn is believed to attack computer systems via hidden codes from malicious websites. Gumblar.cn will then download itself and related malware onto the infiltrated systems.

Once embedded within a computer system, Gumblar.cn will install Trojan infections, as well as additional malware on the infected PC. Gumblar.cn is also known to monitor the traffic on the infected systems, and will attempt to steal passwords from the host computer as well.

Not only will Gumblar.cn severely degrade any computer system it has infiltrated, but it will also put all private information and data at serious risk. The best way to deal with Gumblar.cn would be to change all passwords, as soon as you suspect Gumblar.cn may be active on your system, and immediately proceed with removal processes.

How would one stop all Gumblar.cn processes?
Well there is the manual removal process, or the automatic process.

Manual Removal instructions are as follows:

1. Stop Gumblar.cn Processes:
Gumblar.cn.exe

2. Find and Delete these Gumblar.cn Files:
%UserProfile%\Desktop\Viruses.bdt
%UserProfile%\Desktop\Gumblar.lnk
c:\Program Files\Gumblar
c:\Program Files\Gumblar\Viruses.bdt
c:\Program Files\Gumblar\Gumblar.exe
c:\Documents and Settings\All Users\Start Menu\Programs\Gumblar
c:\Documents and Settings\All Users\Start Menu\Programs\Gumblar\Gumblar.lnk
%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Gumblar.lnk
%UserProfile%\Application Data\Mozilla\Firefox\Profiles\s1jqw0bz.default\cookies.sqlite

3. Remove Gumblar.cn Registry Values:
5222009A-DD62-49c7-A735-7BD18ECC7350
HKEY_CURRENT_USER\Software\Gumblar

Being a malicious website, Gumblar.cn is considered highly suspicious and contains several exploit scripts and Trojan infections, which will only harm a system it comes into contact with. Gumblar.cn embeds encrypted scripts on various file formats, including: html, .JS and .PHP files.

As in all cases of viruses and infections – prevention is definitely better than cure, therefore one should ensure that your computer system is equip to withstand the threat of Gumblar.cn.

Below you will find a few facts on Gumblar.cn:

• Every infected site has its own modification of the script. However every modification has common parts and can be easily identified as the Gumblar.cn script.
1. The script starts with “(function)“
2. The function has no name. It is anonymous and self-invoking.
3. The script is obfuscated. I.e. some characters are replaced with their numeric codes, and then the “%” character replaced with some arbitrary character.

• When the script is executed (every time someone visits the infected web page), another script from “gumblar.cn/rss/” is silently loaded and executed.

• This code is usually injected right before the tag. I saw a web page with eight(!) tags (yeah, invalid HTML) and the Gumblar.cn scripts were injected before each of them.

• Sometimes I encounter this script on sites infected with the malicious iframes that I reviewed in my recent posts. So this exploit may use the same infection technique. And probably the same clean up steps may be applied.

• Unlike the recent iframe exploits, where the malicious code was only injected into files with most common filenames (e.g. index.html, index.php, etc.) this Gumblar.cn script is injected into every web page.

• This script is also injected into .js (JavaScript) files. Usually at the very bottom.

• Maybe it’s just a coincidence but about 95% of the infected sites used PHP. It is not possible to say for sure if the rest sites used PHP.

• This exploit doesn’t use some particular script vulnerability. I encountered it on phpBB, SMF and vBulletin forums, on WordPress 2.7.1 blogs, on proprietary PHP sites.

Gumblar.cn is highly capable of performing the following tasks:
• Steals FTP credentials
• Sends SPAM
• Installs fake anti virus
• Highjack Google search queries
• Disables security software

The exploits Gumblar.cn makes use of are Adobe Acrobat and Adobe Flash Player vulnerabilities, so best to watch out for these programs.

Here are a few tips on how to avoid being hacked and how to combat against malware infections.

• Rule 1:
Keep your Windows up to date. (Tip: Regularly visit Windows Update and set your PC to receive security and critical updates automatically)

• Rule 2:
Download and install a reliable anti-spyware program, one that will recognize the current form of Gumblar.cn, a well as other forms of spyware.

• Rule 3:
Install a firewall onto your system, and keep it turned on. A firewall is essential for complete protection for your system.

• Rule 4:
Keep the definitions in your anti-spyware up to date at all times.

One thing you should make sure you do – delete this dangerous infection from your computer system, as soon as you have detected any malicious activity.

The best way to ensure your system is safe, and in order to avoid any unneeded risks of damage to your computer system, it is highly recommended to make use of a reliable and legitimate anti-spyware application, to remove Gumblar.cn and all its components from the infected computer system.