New Network Worm Attacks: PHP/Santy.A.worm

In recent hours, PHP/Santy.A.worm, a new network worm written in Perl, has appeared on the Internet and begun to distribute itself rapidly. This malicious code uses Google to execute mass searches of servers that are running the popular application for forums, news groups, blogs, etc., phpBB in versions earlier than 2.0.11 and without the patch that protects against the viewtopic.php vulnerability that was discovered this past November 15. The patch to correct the vulnerability may be downloaded from

Once the worm locates a targeted server, it takes advantage of the phpBB Remote URLDecode Input Validation Vulnerability to obtain remote access to the web server. When access is obtained, it goes through the various directories, overwriting files that have an .asp, .htm, .jsp, php, .phtm or .shtm extension and installing in place of each a page that displays the following message: “This site is defaced!!! NeveEverNoSanity WebWorm generation X.”

In the message, “x” varies according to the infections that the new virus is able to accomplish.

This Internet worm affects only servers and distributes itself only among them. Therefore, residential users are unaffected. Nor will residential users be affected if they visit pages that have been infected by the worm. Given that the vulnerability operates at the application level, web servers with either Windows or Linux operating systems may be affected.

It is possible that if the worm continues to propagate itself on a large scale, Internet services will slow down and even collapse.

Given the high probability of encountering PHP/Santy.A.worm or new variants on PHP/Santy.A.worm, Panda Software recommends that extreme precautionary measures be taken and antivirus software be updated. Panda Software customers already have available to them the updates necessary to detect and remove this new malicious code from their systems.

Don't miss