[FIXED] How to Remove WP-VCD Malware in WordPress

Updated: June 28th, 2024
8 mins read

The WP-VCD malware, named after the wp-vcd.php file has been creating quite a havoc in the WordPress space. Since its first detection by our security threat intelligence team more than a year ago, this malware has evolved and become more sophisticated. Here’s our research about the evolution of this notorious malware and how to fix & prevent the wp-vcd malware infection on your website.

Symptoms of the WP-VCD malware:

  1. New admin users added to WordPress: We’ve seen hackers add themselves as a user in WordPress with administrator privileges.

  2. High resource consumption: The WP-VCD malware is known to consume your server resources. We’ve also seen hosting companies suspending accounts citing ‘high resource utilization’ as the reason.

  3. Slowed down website load time: Often the load time of websites infected with this malware is affected adversely. In some cases, we’ve seen websites that usually take 2-3 seconds to load taking more than 30 seconds to load!

  4. Unknown Javascript code: We’ve seen unknown javascript code added to either some important WP files like functions.php, index.php, or to almost all the core WP files. The second one usually is a nightmare to fix, often leading to the redirection of the website to malicious domains too.

  5. Malicious PHP code within core folders: The ‘WP-VCD’ code is added at various places within WordPress. This is from where the name of the malware comes from. From its name, one might presume the file is a part of WordPress but on cod- analysis turns out it is malware.

    Here’s an example of a WP-VCD malware well hidden within the wp-includes directory, flagged by Astra Security’s malware scanner.


    WP-VCD malware

Top causes for the WP-VCD virus infection:

Once infected, removing the infection and ensuring your WordPress is watertight secure going forward is essential. At the same time, it is equally important to know what could have been the source of the infection in the first place. A few entry points that we’ve identified include:

  • Pirated & nulled themes: WP-VCD malware comes pre-installed with pirated versions of a paid theme/plugin. These nulled (pirated) themes and plugins contain malicious scripts that get deployed when you install them.

    After setting its foot on your website through a nulled theme, it goes on to infect every other theme on your site. In the case of a shared server, this malware then propagates to infect each unprotected site hosted on that server. That’s why we often see this malware infects all the websites on the same server when they aren’t containerized.

  • Un-updated plugins & themes: This is one of the top causes of almost all WordPress infections. However, updating all the themes/plugins after the infection has happened doesn’t mean the infection would go away. Cleaning the infection is still required and so is ensuring proactive security, more on it below.

  • No proactive security on the website: Truth be told, hackers have evolved their techniques over the years. They gain thousands of dollars from such hacks, which means that they can spend hundreds of dollars automating these hacks to infect thousands/millions of websites at once.

    To protect against such evolved WordPress hack techniques, a small investment in a security tool goes a long long way. Saves you headaches at times like these and prevention of SEO/marketing/sales loss from the downtime is another added benefit.

How exactly does the WP-VCD malware work?

[some technical (yet super important) jargon ahead]

It’s really important to understand what exactly does WP-vcd does and how it’s able to slow your website eating up all your precious server resources.

When malicious code is inserted in your website, it usually sits in core files like functions.php/index.php. Now, this malicious code makes a call to files within your website. When your website is opened from the browser, it tries to reach the files to which malware is making the call. And these files may or may not exist on your website causing the functions.php to get executed again. Essentially bringing the website loading process to a big loop. This, in the security language, is called a ‘forkbomb’.

Fork-bomb interpretation. Source: Wikipedia.

“In computing, a fork bomb (also called rabbit virus or wabbit) is a denial-of-service attack wherein a process continually replicates itself to deplete available system resources, slowing down or crashing the system due to resource starvation.”

from Wikipedia.

Step 1: Deploys malicious scripts

In the functions.php file within your theme, you would see some code similar to this:

<?php if (file_exists(dirname(__FILE__) . '/<b>class.theme-modules.php</b>')) <b>include_once</b>(dirname(__FILE__) . '/<b>class.theme-modules.php</b>'); ?>

This code checks if there are deployer scripts available and subsequently executes them. As you can see in the code above, the file that’s been called is the class.theme-modules.php file. Now, depending on where the infection emanates from (i.e. theme or plugin), the malicious script will be in file class.theme-modules.php or class.plugin-modules.php respectively.

Step 2: Creates backdoor

<?php
 
//install_code1
error_reporting(0);
ini_set('display_errors', 0);
DEFINE('MAX_LEVEL', 2); 
DEFINE('MAX_ITERATION', 50); 
DEFINE('P', $_SERVER['DOCUMENT_ROOT']);

$GLOBALS['<b>WP_CD_CODE</b>'] = 'PD9waHANCmVycm9y...(base64-encoded string of PHP code)
...

This code creates a new admin user with a name similar to 100010010. The objective of this backdoor admin account is to make sure that the hacker is able to access the website even if you delete the malicious code basically, so that the attackers could attack your website at a later point in time.

Step 3: Gets instructions from hackers

Sometimes hackers inject URLs of their C2 servers. These URLs are later called to deploy action across the infected sites in one go. Domains such as www.krilns[.]com/code.php​, ​krilns[.]pw​, ​krilns[.]top, etc have been found executing this in many WP-VCD infected sites.

Step 4: Infects other files and sites

The next thing that the WP-VCD malware does is to expand itself. It deploys the malicious script in every theme and plugin on your site. Next, it goes on to find vulnerable sites on the same server and infects them too.

This propagation starts with the deployment of a script located at wp-includes/wp-vcd.php​. It’s followed by modifications in the core wp-includes/post.php​ which at last execute the code in ​wp-vcd.php​ on every page.

How to fix & remove the WP-VCD WordPress malware?

  1. Finding & removing malicious code: There are a few places where probability of finding the malicious code is high. Though, hackers often try to improve their ways to hide the malware more creatively still these files/folders on your server are worth starting the hunt from:

    • wp-includes/wp-vcd.php
    • wp-includes/wp-tmp.php
    • wp-content/themes/*/functions.php (all themes installed on the server whether active or not)
    • class.wp.php
    • code1.php
    • class.theme-modules.php (inside the theme folder)

  2. Searching malicious string patterns: Searching for string patterns that are found in infected malware files helps you in narrowing down the search. A few of them mentioned below:

    • tmpcontentx
    • function wp_temp_setupx
    • wp-tmp.php
    • derna.top/code.php
    • stripos($tmpcontent, $wp_auth_key)

  3. Analyze functions.php: This file is one of the top infected files by hackers. Reviewing the code in functions.php can reveal the controlling code of wp-vcd malware.

  4. Run a diff check to ensure code authenticity: Run a diff check of the file contents on your server with corresponding files in the WordPress core GitHub repository or theme/plugin directory. You can use either of the approaches (or both) using SSH or using your IDE.

    file difference checker - Astra Security
    (File difference checking, screenshot from Astra’s malware scanner showing malware added at the top of index.php file)

  5. Run a malware scan: In such malware infection situations, a malware scanner can save you hours of hunting for malware (which still doesn’t guarantee success). Malware scanner not only scans each and every file of the server but ensures every difference in core files of your WordPress is pointed out.
Astra Security’s malware scanner flagging malicious WP-VCD code hidden in a theme folder

The WP VCD malware gets a foothold in your site by leveraging loopholes in outdated plugins and themes. In most WP-VCD cases, the web owners infect themselves by installing a free/nulled plugin & themes from unauthorized sources, while in others it occurs as a result of contamination by infected sites.

One of the biggest lessons to be learnt from such hacks is to ensure your website is secure going forward. Not ending up in a hack situation like this is totally possible using Astra Security Suite that powers security of thousands of websites around the globe, stopping millions of attack and malware every day!