Why I’m documenting and posting this
At the moment (March 20 2012) there is no anti-virus for the Agent.NEK Trojan and supposed experts are not able to see it point blank. I hope that these scratchy notes help someone who finds himself in the same predicament.
Signs of trouble
First came virus alarm reports from visitors to www.unclepasha.com/index2.php, www.unclepasha.com/horses.htm, www.kandalaksha-reserve.org, and http://www.littorina.narod.ru/. All these sites are run by me or close associates. PROBABLY A GOOD IDEA TO ENCOURAGE VISITORS TO REPORT IRREGULARITIES.
Anti-viruses that detected it, and how they detect it
http://wpantivirus.com just gave a notice of trouble on the site but no specifics. NOD32, trial version issues sporadic notifications. Consistent reports identifying ONLY ONE OF SEVERAL infected file came from the full version. But NOD32 would only cure the file by deleting it. ANOTHER TRAP: YOU TRY TO CURE YOUR SITE AND INSTEAD YOU LOSE EG. MAIN.JS. BACK UP! BE READY TO RETRACE YOU STEPS! There appears to be no real cure for Agent.NEK at the moment and a few incomplete reports scattered around seemto agree it has to be dome manually. Kasperky, according to a visitor report, gave a virus alarm but also pointed to ONLY ONE of infecte files. (As I think of it now, every antivirus installed on computers from which my site was accessed pointed to ONLY ONE infected file and then blocked further communications. Makes sense from the point of view of protecting site visitors. But if the site it yours don’t stop after cleaning up just one file.)
Attempts to oursource the task of removing Agent.NEK
Not being a computer expert, I tried approaching those who are supposed to know. Both self proclaimed expert I tried to get invlved stubbornly denied there is a problem. Interacting with them took hours of my time. What’s worse, while keeping me thinking they were doing something they were wasting precious time during which infected sites were detected by search engines and blacklisted.
But I’m thankful to Maria Gorina (www.hiddenmoscow.ru ) and the WordPressBoys outfit ( www.wordpressboys.com ) for encouraging me to turn my lazy brains on. Almost forgot to mention www.site5.com where I host my sites. They ran a virus check and also announced that all the numerous virus alarms and site visitor complaints are just noise.
It yielded very little other than that the malicious code is at the end of infected files. No instructions that could be followed.
Is it just me or has useful information really become much harder to locate than 10 years ago? Search engine results are becoming less relevant with every passing month. Hope it is just my attitude as opposed to one of many symptoms this world is going to a well-deserved hell.
But at here is what I had
– the virus is real. Four anti-viruses and 6-7 reports just can’t be wrong.
– exact files that were affected were identified (but not all at once as I realized later as any given antivirus would point to only one of them and then restrict the connection)
– there is no anti-virus to automatically take care of the problem and Agent.NEK was removed manually by those who got it before although none were able to write clear instructions
Removal of Agent.NEK code
The rest was a lot of trial and error. I confess I’ve never done anything inside of a code before. So there was a lot of guesswork, at first especially. But to someone who is not averse to computers and everything associated with them the task must be easier. But then again, as of recent I’ve seen so much computer incompetence that I don’t even know what to think. Let me try to reduce this long day into a short set of instructions:
1. Take virus alarms and complaints from your site’s visitors very seriously. On the other hand be skeptical about so-called experts. OK, I don’t care about Marina Gorina (www.hiddenmoscow.ru). The overall level of expertise in this land is low and I should have thought before hiring a Russian girl. But www.wordressboys.com is an outfit that proclaims itself to be expert in solving WordPress related problems! And they are Indians! Representatives of a nation known for its abitly to pay attention to detail. Got to reconsider my system of prejudices. And www.site5.com , a host that used to be spoken off very well, was unable to detect a virus on its own server! How that’s possible in American is beyond me. (One American outfits’s owner got into a hospital into a serious way after I sent him my questions. Am I cursed?!)
2. Locate files with .js extention. In my case they were in the WordPress, forum, dupal, script and similar directories in four sites.
3. BEFORE DOING ANYTHING SAVE FILES WHICH YOU ARE ABOUT TO MODIFY!!! While looking for informatin on Agent.NEK I stumbled into stories of people accidentally damaging or deletin key files. Restoring them was not easy. With Agent.NEK you are up to your nek already. Don’t aggravate your predicament by failing to take precautions.
4. Look for two long lines of code at the bottom of these files. That’s it. Delete them. MAKE SURE YOU’VE DOWNLOADED THE ORIGINAL TO YOUR COMPUTER OR SAVED IT UNDER A DIFFERENT NAME OR WHATEVER!! Most of the time I spend went on locating which exactly were the offending lines.
Below are examples of the code. It is different but every one has Array(dot)prototype(dot)slice. You can use this phrase to locate infected files. (Code removed not to confused scanners. Available on request if you can develp a proper solution agains Agent.NEK.)
That’s I think is it. Sounds disappointingly simple and trivial in retrospection.
A couple of days after I removed the virus I got a letter from www.sparktrust.com pointing to an infected file I missed. True enough it was there. www.spartkrust.com undertook to identify security problems in my main site www.unclepasha.com At the moment work is under way. (See above about each scanner identifying one file and then shutting off.)
Examples of code
Note that all of them have Array(dot)prototype(dot)slice(dot)call. All of them are two real long lines at the end of the file. The rest is probably of interest to experts only but I’m attaching it just in case. These codes below may help you to visually identify them.
If you wish to talk to me about Agent.NEK or similar problem
Examples of malicious code
xxxxxxxx Removed in order not to confuse virus scanners. Let me know if you nee it. It begines with var..half a line of text… Array(dot)prototype(dot)slice(dot)call. Replace “dot” with real dot. That’s so that scanning soft doesn’t find dirty words on my site. Thanks to www.sparktrust.com for this very sensble advice. If you need the code to work on a solution I’ll e-mail it to you.