New worm, Santy.A, using Google to spread
It infects Web servers running a software package called phpBB
News Story by Paul Roberts
DECEMBER 21, 2004 (IDG NEWS SERVICE) - Antivirus companies are warning Internet users about a new, fast-spreading worm that infects Web servers running a popular package of online bulletin board software and uses the Google search engine to find vulnerable servers to infect.
The worm, dubbed Santy.A, uses a vulnerability in a popular free software package called phpBB to spread across the Internet, infecting computer servers that host online bulletin boards and defacing those sites with the words "This site is defaced!!! NeverEverNoSanity WebWorm."
A Google Inc. spokesman said in an e-mail that the company is looking into reports about Santy.A.
The worm doesn't affect individual computer users but infects Web servers that are hosting online bulletin boards.
Santy.A was first spotted early this morning in the U.S., according to Mikko Hypponen, manager of antivirus research at F-Secure Corp. in Helsinki, Finland.
The worm takes advantage of a critical software vulnerability in the phpBB open-source software, which is widely used to create and maintain online bulletin boards. Although antivirus companies are still analyzing the worm, it appears to use a vulnerability in the PHP scripting language that was recently patched, according to Alexey Zernov, a spokesman for antivirus company Kaspersky Labs Ltd. in Moscow. PhpBB and other common software packages are written using PHP.
Once Santy infects servers running the phpBB software, it scans directories on the infected site and overwrites files with the extensions .htm, .php, .asp, .shtm, .jsp and .phtm with the text "This site is defaced!!! This site is defaced!!! NeverEverNoSanity WebWorm generation," according to an alert from Kaspersky Labs.
The worm also launches a search on the Google search engine for URLs that use a special string, viewtopic.php, which is common to bulletin boards written using the phpBB software, Hypponen said.
The worm's reliance on Google could be its downfall, however. If the search engine company can block the search text used by Santy.A, it would stop the worm from spreading, he said.
Hypponen said he was trying to contact Google to get the company's help in blocking Santy.A requests.
Antivirus experts don't believe Santy.A deposits Trojan horse programs or other malicious code on the systems it infects. Also, Santy doesn't affect individual computer users, unless they are hosting a bulletin board from their computer that uses the phpBB software, antivirus experts said.
However, Santy.A could act as a road map for malicious hackers who are looking for vulnerable computers to exploit, Hypponen said.
Both F-Secure and Kaspersky Labs posted updated antivirus definitions that can spot the Santy.A worm and advised customers to update their antivirus software as soon as possible.