PHP/Santy.A.worm: New Network Worm Attacks Vulnerable phpBB Servers and Erases All Content

Virus Alerts, by Panda Software (http://www.pandasoftware.com)

Madrid, December 21, 2004 - In recent hours, PHP/Santy.A.worm, a new networkworm written in Perl, has appeared on the Internet and begun to distributeitself rapidly.

This malicious code uses Google to execute mass searches ofservers that are running the popular application for forums, news groups, blogs, etc., phpBB in versions earlier than 2.0.11 and without the patch that protects against the viewtopic.php vulnerability that was discovered this past November 15.

The patch to correct the vulnerability may bedownloaded from http://www.phpbb.com/phpBB/viewtopic.php?t=240513.

Once the worm locates a targeted server, it takes advantage of the phpBBRemote URLDecode Input Validation Vulnerability to obtain remote access tothe web server.

When access is obtained, it goes through the various directories, overwriting files that have an .asp, .htm, .jsp, php, .phtm or.shtm extension and installing in place of each a page that displays thefollowing message: "This site is defaced!!! NeveEverNoSanity WebWorm generation X."

In the message, "x" varies according to the infections that the new virus isable to accomplish. This Internet worm affects only servers and distributes itself only among them. Therefore, residential users are unaffected.

Nor will residential users be affected if they visit pages that have been infected by the worm. Given that the vulnerability operates at the application level, web servers with either Windows or Linux operating systems may be affected.

It is possible that if the worm continues to propagate itself on a large scale, Internet services will slow down and even collapse.

Given the high probability of encountering PHP/Santy.A.worm or new variantson PHP/Santy.A.worm, Panda Software recommends that extreme precautionary measures be taken and antivirus software be updated.

Panda Software customers already have available to them the updates necessary to detect and remove this new malicious code from their systems. Similarly, Panda Software customers already have available to them the updates necessary to install Panda's new TruPrevent Technologies solution alongside their antivirus protection for preventive protection against this worm and other new malicious code.

For users of other antivirus solutionson the market, Panda TruPrevent Corporate, for servers and workstations, is the solution. It is compatible with and complementary to the other products and provides a second line of defense as well as preventive protection that runs while the antivirus program is being updated, thereby reducing the riskof infection.

More information on TruPrevent Technologies may be found at http://www.pandasoftware.com/truprevent.

For free computer virus detection and removal, users can run PandaActiveScan, the online antivirus solution available at http://www.pandasoftware.com/

More information about PHP/Santy.A.worm may be found in the PandaSoftware Encyclopedia at http://www.pandasoftware.com/virus_info/encyclopedia/