WP-VCD Malware Attack: How to Clean Up After

This blog post will walk you through the WP-VCD malware attack and how to clean up after it.
The malware known as “wp-VCD” infects WordPress core through the known “themes” available on the platform. WP-VCD malware hides in legitimate WordPress files and is used to add an admin user. This attack gets access to website server resources. As a result, other websites on the same server are infected. Also, this attack slows down the WordPress website and other websites on the same server. Until you can’t identify and delete the malware root, you will see it appear multiple times.

What is WP-VCD malware?

WP-VCD malware comes with pirated versions of paid themes or plugins that this malware has pre-installed. This attack creates a backdoor as an admin user who allows hackers to access the entire website. The attacker adds a new admin user like “username: 100010010”. And they also infused malicious code to rewrite into WordPress core files like function.php and class.wp.php et cetera. WP-VCD malware attack is difficult to detect as a web owner because the output of this infection is often not visible.

Causes of WP-VCD hack

Pirated version of WordPress themes and plugins is the primary source of this malware. The provider of those free null or pirated plugin themes spreads VCD malware by pre-installing plugins and themes. One example of those free null providers with malware is “downloadfreeethemes.” Once you install a plugin or theme downloaded from an untrusted source, your website may get infected immediately. The other websites are on the same control panel within a few minutes. However, you may not be able to know that immediately.
Another way to spread wp-vcd malware is outdated software with unrestricted file upload vulnerability.

Identify a WP-VCD malware

First of all, check the admin user of your WordPress website. See if there are any unknown administrator accounts, for example, username: “test@test.com,” “support@wordpress.com” etc.
Compare core files between the WordPress website and the original WordPress version. There might have been malicious files like wp-vcd.php and wp-tmp.tmp.
Check your website if some pages redirect users to a suspicious website.
Sometimes, websites are infected with SEO spam. Which shows up in the Google search results in Japanese keywords or Pharma attack.
Check if the website suddenly used high system resources.
Check for malicious JavaScript code in your website source code
Use WAF (Web Application Firewall) plugin to check any changes in your website’s core file, specifically wp-includes and wp-admin folders.
Scan your website using a Security & malware scanner to detect your website is hacked or not.

WP-VCD malware injected files sample

In most cases, we get the below files infected with this VCD script.

wp-content/themes/themename/functions.php
WP-VCD.php
wp-includes/post.php
wp-includes/wp-vcd.php
wp wp-includes/wp-cd.php
includes/class.wp.php
wp-includes/wp-feed.php
wp-includes/wp-tmp.php

Also, the source of this infection, the pirated or null plugin or theme version, contains a file as class.plugin-modules.php

functions.php

Sample wp-includes/post.php

Sample ../wp-includes/wp-vcd.php

Clean a WP-VCD malware

As the WordPress core is infected, WordPress manual reinstallation is required. Before that, ensure the source plugin or the theme is detected and removed. Otherwise, this infection will be back at any moment.
Here are the steps that should be taken to get rid of WordPress VCD malware.

Identify the source plugin or theme and the source website if multiple websites are infected in the same server.
Remove the null plugin or theme that contain a file class.plugin-modules.php
Except wp-content, wp-config.php, .htacess, remove everything else from the domain root directory
Check every theme functions.php file, and check and remove the first block of PHP if you see malicious VCD script
Download a fresh and latest version of WordPress
Extract the downloaded zip, remove the "wp-content" directory, zip it again. upload and extract under the domain directory

Those are the basic steps mentioned above, but the site may still contain malicious files under themes or plugins. Please take professional help to make sure the website is clean and secure.

Does your website secure enough? - Free Security Audit

WP-VCD Malware Attack: How to Clean Up After

What is WP-VCD malware?

Causes of WP-VCD hack

Identify a WP-VCD malware

WP-VCD malware injected files sample

functions.php

Sample wp-includes/post.php

Sample ../wp-includes/wp-vcd.php

Clean a WP-VCD malware

Related Articles

How to Remove Malware & Clean a Hacked WordPress Site

WordPress DDoS Attack and Mitigation Strategies

Is Your WordPress Website Hacked? How to know and secure WordPress

Nulled Themes and Plugins: Your Website’s Security at Risk

WordPress pharma hack

Top 10 Tips to Keep Your WordPress Site Secure

Categories

Latest Blog Updates

Unmasking a Persistent Malware Attack on a WordPress Website

Investigating and Resolving High CPU Usage in WordPress Due to Malicious Crawlers

Unmasking a Hidden Malware Attack Targeting Users from Search Results

Critical Broken Access Control Vulnerability in WP Travel Plugin

Critical Broken Access Control Vulnerability in WooODT Lite Plugin

Critical Local File Inclusion Vulnerability in HTML filter and csv-file search Plugin

Critical Remote Code Execution Vulnerability in PHP to Page Plugin