The malware stores an array of PHP fragments to execute at the bottom of its own file, delimited and encoded using the MD5 hash of the filename. It has a specific GUID to control it; on start up it checks all POST and cookie values for properly-encoded commands: PHP serialized arrays, XORed with both the parameter or cookie name and the control GUID, then base64-encoded. Its commands are:
- return malware and PHP version info
- eval an arbitrary PHP string passed in
- add or remove PHP ‘plugins’ from the saved array of PHP fragments
Otherwise it runs everything in its saved array.
If you want to see what the saved array of PHP is your copy, take the code up to and including function xlkrcv() except change syywzq() to return the full filename of the .ico file. (If you’ve moved it you’ll need to substitute md5(syywzq()) throughout for the MD5 sum of the original file path.) You can then run and dump out the results of xlkrcv().