Virus Profile: Perl/Santy.worm

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low-Profiled | Corporate Low-Profiled
Date Discovered: 12/21/2004
Date Added: 12/21/2004
Origin: Unknown
Length: 5kb
Type: Virus
Subtype: Internet Worm
DAT Required: 4416
Removal Instructions
   
 
 
   

Description

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

Upon infection, the worm overwrites files on the web server containing the following extensions:

  • .htm
  • .php
  • .asp
  • .shtm
  • .jsp
  • .phtm

Those pages are defaced as follows:

Methods of Infection

This worm spreads by exploiting a vulnerability in phpBB 2.x.  Administrators are urged to upgrade to the latest version, 2.0.11, that is not vulnerable:
http://www.phpbb.com/downloads.php

The worm increments a generation value as it spreads.  It is known to corrupt itself as it propagates such that the likelihood of successful propagation diminishes with each generation.

Aliases

Perl.Santy (Symantec), PHP/Santy.worm, Santy (F-Secure), t-Worm.Perl.Santy.a (AVP), WORM_SANTY.A (Trend)
   

Virus Characteristics

-- Update December 28, 2004 --
 Perl/Santy.worm is being detected generically under the name Exploit-phpBB!hilight (detection included in the 4417 DAT files).  This detection covers all variants that are known to exist (at the time of this writing) and exploit the targeted vulnerability.

-- Update December 21, 2004 --
 This threat was updated to Low-Profiled due to media attention at the following link:
http://news.com.com/Net%2Bworm%2Busing%2BGoogle%2Bto%2Bspread/2100%2D7349_3%2D5499725.html

This virus spreads on web servers running the phpBB 2.x application.  Other systems are not affected.

The worm uses Google to search for target systems to attack, by running a query for text present on web pages that are served by phpBB.  When a potential victim site is found, the worm attacks the phpBB software, by exploiting a highlighting vulnerability.  For information on this vulnerability, see:
http://secunia.com/advisories/13239

   
All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.