Finding

A quick way to scan a bunch of WordPress installs for the Docs virus. Not sure of the real name since I can't find a reference to it on the net.

dir /s /b *.php | find "docs.php"

A more thorough search is:

findstr /sim /c:"chr(base_convert(substr" *.php

This looks for the actual code that decodes the virus.

Either method could produce some false positives so apply some comment sense before deleting files.

Removing

Removing the virus consists of checking the first line in the function.php file for each theme and removing the junk after <?php

Then delete the Docs plugin.

You will need to do this with your site disabled as the plugin will reinfect the functions.php files and the functions.php extras will reinstall the plugin.

Analysis

I haven't spent too much time trying to figure out what it does exactly. However, this is what I do know.

The code added to the theme functions.php

First it checks to see if the wp-content/plugins/docs/docs.php file exists and if not it downloads a copy from http://lamulata.biz/cript_doc.php

Next if the docs.php file exists it checks to see if it is activated. If not it activates it.

docs.php

Registers a daily cron job which is used to update itself.

Uses the docs_wp_plugin_active_list_update action to hide itsoft from the plugin list.

Hooks the wp_head action which seems to send some data about the current request to http://178.132.204.58/index.php

Ultimately it seems to fetch some content from a remote site and includes it in the page content or completely replaces the content.

One of the side effects is that it looks for a writeable tmp directory and caches data there. I found over 25,000 files in one cache folder.