Santy.a Worm

[Mobo]

Virus News. Tuesday, December 21, 2004
************************************************** ****************

1. Net-Worm.Perl.Santy.a threatens Internet forums
2. How to subscribe/unsubscribe
3. Security Rules

****

1. Net-Worm.Perl.Santy.a threatens Internet forums

Kaspersky Lab, a leading developer of secure content management systems,
has detected a new worm, Net-Worm.Perl.Santy.a. This worm infects
certain web sites by exploiting a vulnerability in phpBB, a popular
package used to create Internet forums. Santy.a is spreading rapidly,
and has caused an epidemic. However, this does not directly affect end
users - although the worm infects web sites, it does not infect
computers used to view these sites.

Santy.a is something of a novelty - it creates a specially formulated
Google search request, which results in a list of sites running
vulnerable versions of phpBB. It then sends a request containing a
procedure which will trigger the vulnerability to these sites. Once the
attacked server processes the request, the worm will penetrate the site,
gaining control over the resource. It then repeats this routine.

Once the worm has gained control over a site, it will scan all
directories on the infected site. All files with the extensions .htm,
.php, .asp, .shtm, .jsp and phtm will be overwritten with the text 'This
site is defaced!!! This site is defaced!!! NeverEverNoSanity WebWorm
generation'.

Apart from defacing infected sites with this text, the worm has no
payload. It will not infect machines which are used to view infected
sites. Kaspersky Lab recommends that all users of phpBB should upgrade
to version 2.0.11 to prevent their sites from being defaced.

An urgent update to Kaspersky Anti-Virus databases has already been
issued. Information about Santy.a can be found in the Kaspersky Virus
Encyclopaedia.