Santy worm

Discussion in 'malware problems & news' started by se7engreen, Dec 21, 2004.

Thread Status:
Not open for further replies.
  1. se7engreen

    se7engreen Registered Member

    Feb 6, 2004
  2. Randy_Bell

    Randy_Bell Registered Member

    May 24, 2002
    Santa Clara, CA
    Panda Virus Alerts: PHP/Santy.A.worm

    - PHP/Santy.A.worm: New Network Worm Attacks
    Vulnerable phpBB Servers and Erases All Content -
    Virus Alerts, by Panda Software ( ​

    Madrid, December 21, 2004 - In recent hours, PHP/Santy.A.worm, a new network worm written in Perl, has appeared on the Internet and begun to distribute itself rapidly. This malicious code uses Google to execute mass searches of servers that are running the popular application for forums, news groups, blogs, etc., phpBB in versions earlier than 2.0.11 and without the patch that protects against the viewtopic.php vulnerability that was discovered this past November 15. The patch to correct the vulnerability may be downloaded from

    Once the worm locates a targeted server, it takes advantage of the phpBB Remote URLDecode Input Validation Vulnerability to obtain remote access to the web server. When access is obtained, it goes through the various directories, overwriting files that have an .asp, .htm, .jsp, php, .phtm or .shtm extension and installing in place of each a page that displays the following message: "This site is defaced!!! NeveEverNoSanity WebWorm generation X."

    In the message, "x" varies according to the infections that the new virus is able to accomplish.

    This Internet worm affects only servers and distributes itself only among them. Therefore, residential users are unaffected. Nor will residential users be affected if they visit pages that have been infected by the worm. Given that the vulnerability operates at the application level, web servers with either Windows or Linux operating systems may be affected.

    It is possible that if the worm continues to propagate itself on a large scale, Internet services will slow down and even collapse.

    Given the high probability of encountering PHP/Santy.A.worm or new variants on PHP/Santy.A.worm, Panda Software recommends that extreme precautionary measures be taken and antivirus software be updated. Panda Software customers already have available to them the updates necessary to detect and remove this new malicious code from their systems.

    Similarly, Panda Software customers already have available to them the updates necessary to install Panda's new TruPrevent Technologies solution alongside their antivirus protection for preventive protection against this worm and other new malicious code. For users of other antivirus solutions on the market, Panda TruPrevent Corporate, for servers and workstations, is the solution. It is compatible with and complementary to the other products and provides a second line of defense as well as preventive protection that runs while the antivirus program is being updated, thereby reducing the risk of infection. More information on TruPrevent Technologies may be found at

    For free computer virus detection and removal, users can run Panda ActiveScan, the online antivirus solution available at

    More information about PHP/Santy.A.worm worms may be found in the Panda Software Encyclopedia at
  3. meneer

    meneer Registered Member

    Nov 27, 2002
    The Netherlands
    Two observations:
    - patchmanagement is required for all systems
    - the extremely critical alert notification was correct
Thread Status:
Not open for further replies.