Content
Perl/Spyski.worm
- Type
- Virus
- SubType
- Internet Worm
- Discovery Date
- 12/27/2004
- Length
- Vary
- Minimum DAT
- 4417 (12/29/2004)
- Updated DAT
- 4686 (01/31/2006)
- Minimum Engine
- 5.1.00
- Description Added
- 12/28/2004
- Description Modified
- 12/29/2004 2:16 AM (PT)
Tab Navigation
Characteristics
The Perl/Spyski.worm detection covers a worm that is based on the idea of the Perl/Santy.worm virus. Spyski does not exploit the same vulnerability. Based on the same principle, Perl/Spyski.worm attempts to locate vulnerable PHP servers by using search engines such as Google, and Yahoo. The worm looks for PHP pages where the coder has made a common PhpInclude mistake.
Once infected, the compromised server may download and run IRC BOT scripts to allow a remote attacker to control the compromised system centrally.
Symptoms
PHP server connecting to IRC servers (TCP port 6667 outbound)
Method of Infection
This worm spreads to vulnerable PHP web servers.
Removal
All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.
Variants
Variants
N/A
All Information
Overview -
This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.
Characteristics
Characteristics -
The Perl/Spyski.worm detection covers a worm that is based on the idea of the Perl/Santy.worm virus. Spyski does not exploit the same vulnerability. Based on the same principle, Perl/Spyski.worm attempts to locate vulnerable PHP servers by using search engines such as Google, and Yahoo. The worm looks for PHP pages where the coder has made a common PhpInclude mistake.
Once infected, the compromised server may download and run IRC BOT scripts to allow a remote attacker to control the compromised system centrally.
Symptoms
Symptoms -
PHP server connecting to IRC servers (TCP port 6667 outbound)
Method of Infection
Method of Infection -
This worm spreads to vulnerable PHP web servers.
Removal -
Removal -
All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.
Variants
Variants -
N/A
