Premium WordPress themes are pirated and are used to spread WP-VCD malware. This malware is hidden in legitimate WordPress files. It is used to add secret admin user and allows the hackers to take complete control. The malware was first spotted by Italian cybersecurity specialist Manuel D’orso. The malware was first loaded via a call for wp-vcd.php file and that inject malicious code into the original core files.

This code creates a new secret admin user account called 10000010. The reason to bring this malware was to open a connection to infected sites so that hackers can carry out attacks later.

This malware also sent spam messages which led users back to the websites offering pirated themes which helped them propagate their malware. As we all say, to defeat your enemy we should know(understand) them well. We can’t remove the malware code before removing the main WP-VCD file. Attackers may try to inject pop advertisements into your website to spread the malware.

function.php file after attack WP-VCD-malware

They can also transfer if we have downloaded themes from the third party free download sites. These free versions will create class.theme.php or class.plugin-module.php files which contain the malware code.

This affected WordPress themes gives loopholes in outdated plugins and themes. Hackers are then able to exploit vulnerabilities in WordPress plugins and themes to upload wp-vcd on different sites. If your site has outdated WordPress plugins and themes or if you do not have web application firewall, you are more likely to get attacked by this malware. You can contact a good WordPress development service to solve this.

Your hosting provider is likely to suspend your WordPress account because of wp-vcd malware to protect other websites. Pages on your website may get redirected to shady websites due to this attack. You will see PHP files everywhere in your directory.

Follow the below mentioned steps to remove WP-VCD malware:

• Creating a backup of the safe files is a better option.
• Firstly, remove WP-VCD.php file from WordPress core. It has file rewritten with malware code by the name function.php file. A plug-in can be used to find malware code on your website. Or else find them manually and delete them.
• Before jumping to this delete class.theme-modules.php and class.plugin-modules.php files otherwise, the malware will be generated again and again.
• Go to the WordPress install directory and you will get a file named wp-includes/wp-vcd.php which contains the malware. Delete them.
• Delete all the below mentioned files if found in your WordPress install directory:

    wp-includes/wp-vcd.php;
    wp-includes/class.wp.php;
    wp-includes/wp-cd.php;
    wp-includes/wp-feed.php;
    wp-includes/wp-tmp.php;

• Open the function.php file to remove the malware code

Tips to prevent WP-VCD malware from entering the computer:

1. Enable Popup blocker

2. Keep windows updated

3. Try to avoid free third-party downloads

4. Install Anti-virus

5. Have Regular backup facility

Deleting the malware once affected is not an also easy job. This malware tends to infect other areas on the website and also install different types of malware codes. Hence it is very important to create an effective security strategy which will do the analysis and completely clean the website.

Extra care is needed to avoid to become the victim of this kind of attacks even with the updated WordPress development installs. Always monitor and update your themes.

Pankaj Sakariya

January 25, 2019