McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Perl.Santy (Symantec)

• PHP/Santy.worm

• Santy (F-Secure)

• t-Worm.Perl.Santy.a (AVP)

• WORM_SANTY.A (Trend)

Characteristics

-- Update December 28, 2004 --
Perl/Santy.worm is being detected generically under the name Exploit-phpBB!hilight (detection included in the 4417 DAT files).  This detection covers all variants that are known to exist (at the time of this writing) and exploit the targeted vulnerability.

-- Update December 21, 2004 --
This threat was updated to Low-Profiled due to media attention at the following link:
http://news.com.com/Net%2Bworm%2Busing%2BGoogle%2Bto%2Bspread/2100%2D7349_3%2D5499725.html

This virus spreads on web servers running the phpBB 2.x application.  Other systems are not affected.

The worm uses Google to search for target systems to attack, by running a query for text present on web pages that are served by phpBB.  When a potential victim site is found, the worm attacks the phpBB software, by exploiting a highlighting vulnerability.  For information on this vulnerability, see:
http://secunia.com/advisories/13239

Symptoms

Upon infection, the worm overwrites files on the web server containing the following extensions:

• .htm
• .php
• .asp
• .shtm
• .jsp
• .phtm

Those pages are defaced as follows:

Method of Infection

This worm spreads by exploiting a vulnerability in phpBB 2.x.  Administrators are urged to upgrade to the latest version, 2.0.11, that is not vulnerable:
http://www.phpbb.com/downloads.php

The worm increments a generation value as it spreads.  It is known to corrupt itself as it propagates such that the likelihood of successful propagation diminishes with each generation.

Removal

All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Perl.Santy (Symantec)

• PHP/Santy.worm

• Santy (F-Secure)

• t-Worm.Perl.Santy.a (AVP)

• WORM_SANTY.A (Trend)

Characteristics

Characteristics -

-- Update December 28, 2004 --
Perl/Santy.worm is being detected generically under the name Exploit-phpBB!hilight (detection included in the 4417 DAT files).  This detection covers all variants that are known to exist (at the time of this writing) and exploit the targeted vulnerability.

-- Update December 21, 2004 --
This threat was updated to Low-Profiled due to media attention at the following link:
http://news.com.com/Net%2Bworm%2Busing%2BGoogle%2Bto%2Bspread/2100%2D7349_3%2D5499725.html

This virus spreads on web servers running the phpBB 2.x application.  Other systems are not affected.

The worm uses Google to search for target systems to attack, by running a query for text present on web pages that are served by phpBB.  When a potential victim site is found, the worm attacks the phpBB software, by exploiting a highlighting vulnerability.  For information on this vulnerability, see:
http://secunia.com/advisories/13239

Symptoms

Symptoms -

Upon infection, the worm overwrites files on the web server containing the following extensions:

• .htm
• .php
• .asp
• .shtm
• .jsp
• .phtm

Those pages are defaced as follows:

Method of Infection

Method of Infection -

This worm spreads by exploiting a vulnerability in phpBB 2.x.  Administrators are urged to upgrade to the latest version, 2.0.11, that is not vulnerable:
http://www.phpbb.com/downloads.php

The worm increments a generation value as it spreads.  It is known to corrupt itself as it propagates such that the likelihood of successful propagation diminishes with each generation.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.

Variants

Variants -

N/A