|Most of this page uses content from Wikipedia. The original article was at Gumblar. The page may have contained some inaccurate or outdated information, so please rewrite some parts to avoid plagiarism.|
The list of authors can be seen in the page history. As with Malware Wiki, the text of Wikipedia is available under the Creative Common Attribution-ShareAlike 3.0 License.
Remove this template when most of the Wikipedia content has been removed or the Wikipedia information is outnumbered by non-Wikipedia information.
This page has multiple issues. These issues most likely include issues with references and manual of style violations. Please help Malware Wiki by correcting these issues.
The malicious site sends the visitor an infected PDF that is opened by the visitor's browser or Adobe Acrobat Reader. The PDF will then exploit a known vulnerability in Acrobat to gain access to the user's computer. Newer variants of Gumblar redirect users to sites running fake antivirus software.
The virus will find FTP clients such as FileZilla and Dreamweaver and download the clients' stored passwords. Gumblar also enables promiscuous mode on the network card, allowing it to sniff local network traffic for FTP details. It is one of the first viruses to incorporate an automated network sniffer.
The virus will also modify .htaccess and HOSTS files, and create images.php files in directories named 'images'. The infection is not a server-wide exploit. It will only infect sites on the server that it has passwords to.
Different companies use different names for Gumblar and variants. Initially, the malware was connecting to gumblar.cn domain but this server was shut down in May 2009. However, many badware variants have emerged after that and they connect to other malicious servers via iframe code. Some examples are Martuz.cn, Troj/JSRedir-R, and iframe.