FTP virus spreading in new ways

An earlier blog post described how several of our customers got their personal computers infected by a new virus that has been spreading across the Internet. Initial versions of the virus spread themselves by reading a Web site’s FTP username and password stored on the PC, then downloading Web pages, inserting an “iframe” tag, and re-uploading the Web pages back to the server. As a proactive measure, we started scanning all uploaded files and stripping out any malicious “iframe” tags.

We are now seeing newer versions (commonly called “Gumblar”) which spread by inserting “script” tags with encoded JavaScript code. Because there are several variations of this approach, and because some legitimate commercial scripts use the same technique to hide their source code, we cannot perfectly identify and strip out these infections. Therefore, we will not automatically strip out the “script” tags from any upload file that looks suspicious.

If your Web site is infected, your best solution is to:

  1. Scan your computer for malware. See our prior blog post for links to suggested scanning software.
  2. Change your account password in our control panel (since your account password is also your FTP password).
  3. Change the passwords for any additional FTP accounts you may have defined.
  4. Re-upload (or “re-publish”) your Web site to our servers.

Of course, we always recommend that users run anti-virus software on their systems, and keep backups of their Web site files and data.


  1. I have Analytics installed on my website. The folks at google showed me the exact problem. It seems to be Gumblar or its other name Troj/JsRedir-R this is a link to the blog http://www.cnet.com/1770-5_1-0.html?query=martuz.cn%2F.&tag=srch . What I thought was an annoying Google search redirect on my office computer, was actually a pretty big deal. It got some good suggestions too.

  2. The malware family doesn’t just read the passwords that are stored on the infected computer. It also captures them when they are used, possibly even if they are used on another otherwise clean computer. See here.

  3. This is an email I got through an friends email account sent to me through theres, I am sure its a stealing virus-ish page can anyone help me confirm ?

  4. Yes i will agree with your words. Some of my friends shared me this information. When you are infecting from FTP Virus to clean your computer click the given link.