Net-Worm.Perl.Santy.a, which targets the phpBB online bulletin board software, apparently searches Google for “viewfiles.php” which reveals vulnerable versions of phpBB, then launches an attack on the site.
“Santy.a is something of a novelty,” Kaspersky said. “It creates a specially formulated Google search request which results in a list of sites running vulnerable versions of phpBB.”
Once the virus has located its targets and successfully infected a site, it searches for and overwrites files with .asp, .htm, .jsp, .php, .phtm, and .shtm extensions. In their place, the worm places files which contain the text, “This site is defaced!!! NeverEverNoSanity WebWorm generation.”
Original reports suggested that the worm was exploiting one of the major PHP vulnerabilities announced last week by the open-source group that distributes the programming language, but the Internet Storm Center recently stated that the exploit lies in the “highlight” feature in versions of phpBB earlier than 2.0.11.
The “highlight” exploit centers around an SQL injection bug that allows attackers to arbitrarily execute code.
A search using Microsoft’s search engine for text strings contained in infected files turned up approximately 40,000 sites at 11 a.m. on Tuesday. The same search conducted at 12:30 p.m. revealed 133,780 hits.
“Santy.a is spreading rapidly and has caused an epidemic,” Kaspersky stated. “However, this does not directly affect users. Although the worm infects websites, it does not infect computers used to view those sites.”