Santy Worm

[francois]

hi'

a techy news ..

Virus Santy.

In Santy. In is a worm which targets only Web sites hosting a phpBB

forum. If this last one is not up to date, the worm infects the Web

site by exploiting a critical vulnerability recently revealed, then

replace its home page by a message " This site is defaced!!! " In red

on black bottom, preventing his(her) guests from accessing it. The

Internet users guests are not affected by this worm, which automates

the piracy of Web sites.

PREVENTION:

The webmasters having installed a phpBB forum have to update it by

downloading at once the last version on the site of the editor. The

Internet users are not affected by this worm, which risks simply to

make inaccessible certain Web sites.

DISINFECTION:

The concerned webmasters have to update their forum (see Prevention),

delete files installed by the worm may restore pages modified or

deleted by the worm.

TYPE:

Worm

SYSTEM (S) CONCERNS (S):

PhpBB forum version 2.0.10 and subordinates

ALIAS:

Santy. To ( F-Secure)

Net-Worm. Perl. Santy.a ( Kaspersky)

PERL / Santy.worm ( Mc Afee)

Perl / Santy-A ( Sophos)

Perl. Santy (Symantec)

WORM_SANTY.A ( Trend Micro)

DISCOVERY:

21/12/2004

DETAILED(RETAILED) DESCRIPTION:

Santy. In is a worm which targets only Web sites hosting a phpBB forum.

This worm is a script Perl which uses Google to find forums and test

their safety(security) by making a search on the name of the page

susceptible to be vulnerable in a fault SQL injection recently bare

viewtopic.php ). If the tested forum is not up to date in its

correctives, the worm infects the Web site by exploiting(running) a

critical vulnerability recently revealed, then replace the home page of

the site as well as all the files .asp.htm.jsp.php.phtm and .shtm by a

message " This site is defaced!!! NeverEverNoSanity WebWorm generation

[number of infected sites]. " In red on black bottom, preventing the

guests from accessing it:

The worm copies on the server infected under the name m1ho2of and can

run and seek the other sites to be infected if the interpretor Perl is

installed. The Internet users guests of the site so modified are not

affected by this worm, which has in fact for purpose to automate the

piracy(hacking) of Internet sites. Several dozens thousand vulnerable

Web sites would so have been "deformed".

Further to the blocking of the queries of the worm by Google the

22/12/04, Santy. In is not effective any more. The code of the worm

having been published on internet, it is nevertheless necessary to

expect the appearance of variants using the other search engines.

25/12/04: A minor variant Santy. B (also called Perl. Santy. try to

install a hidden door controlled by IRC and to use the AOL and Yahoo

search engines to propagate. AOL blocks henceforth the queries of the

virus, so preventing its distribution.

25/12/04: A minor variant Santy. C (also called Perl. Santy. C) try to

install a hidden door controlled by IRC and to use Google to propagate,

unsuccessfully because his(her,its) queries are henceforth blocked.

concern administrators of sites with forum ...

but it has to be said ...

[translated with prompt5]

francois