Net-Worm.Perl.Santy.a (Kaspersky Lab)
is also known as:
Perl.Santy (Symantec), Perl/Santy-A (Sophos), Perl/Santy.A.worm* (RAV), PERL_SANTY.A (Trend Micro), Perl/Santy.A.2 (H+BEDV), Unix/Santy.A (FRISK), PERL/Santy (Grisoft), Worm.PhpBB.Santy.A (SOFTWIN), PHP/Santy.gen (Panda), Perl/Santy.A (Eset)
| Detection added |
Dec 21 2004 |
| Description added |
Dec 21 2004 |
| Behavior |
Net-Worm |
This worm uses a vulnerability in phpBB, which is used to create forums and
web sites, to spread via the Internet. phpBB versions lower than 2.0.11 are
vulnerable.
The worm is written in Perl, and is 4966 bytes in size.
Propagation
The worm creates a specially formulated Google search request. This request
will give a list of sites running vulnerable versions of phpBB. The worm then
sends a request to all sites found, which contains an exploit for the vulnerability.
When the server under attack processes the exploit, the worm penetrates the
site and gains control. This process is then repeated.
The worm scans all site directories, and overwrites files with the following
extensions:
.asp
.htm
.jsp
.php
.phtm
.shtm
with the following text:
This site is defaced!!!
This site is defaced!!!
NeverEverNoSanity WebWorm generation
Using MSN to search for sites containing the above strings gives an extensive
list of sites; evidence that Santy.a is currently causing an epidemic.
Users should note that this worm is not dangerous; it will not infect computers
if users view an infected site.
