Santy worm

Networm worm "Santy" is spreading. This worm infects only web servers. It infects online discussion forums running phpBB software and defaces them with a text mentioning "NeverEverNoSanity".

http://www.europe.f-secure.com/v-descs/santy_a.shtml

 

Panda Virus Alerts: PHP/Santy.A.worm

- PHP/Santy.A.worm: New Network Worm Attacks
Vulnerable phpBB Servers and Erases All Content -
Virus Alerts, by Panda Software (http://www.pandasoftware.com) ​

Madrid, December 21, 2004 - In recent hours, PHP/Santy.A.worm, a new network worm written in Perl, has appeared on the Internet and begun to distribute itself rapidly. This malicious code uses Google to execute mass searches of servers that are running the popular application for forums, news groups, blogs, etc., phpBB in versions earlier than 2.0.11 and without the patch that protects against the viewtopic.php vulnerability that was discovered this past November 15. The patch to correct the vulnerability may be downloaded from http://www.phpbb.com/phpBB/viewtopic.php?t=240513.

Once the worm locates a targeted server, it takes advantage of the phpBB Remote URLDecode Input Validation Vulnerability to obtain remote access to the web server. When access is obtained, it goes through the various directories, overwriting files that have an .asp, .htm, .jsp, php, .phtm or .shtm extension and installing in place of each a page that displays the following message: "This site is defaced!!! NeveEverNoSanity WebWorm generation X."

In the message, "x" varies according to the infections that the new virus is able to accomplish.

This Internet worm affects only servers and distributes itself only among them. Therefore, residential users are unaffected. Nor will residential users be affected if they visit pages that have been infected by the worm. Given that the vulnerability operates at the application level, web servers with either Windows or Linux operating systems may be affected.

It is possible that if the worm continues to propagate itself on a large scale, Internet services will slow down and even collapse.

Given the high probability of encountering PHP/Santy.A.worm or new variants on PHP/Santy.A.worm, Panda Software recommends that extreme precautionary measures be taken and antivirus software be updated. Panda Software customers already have available to them the updates necessary to detect and remove this new malicious code from their systems.

Similarly, Panda Software customers already have available to them the updates necessary to install Panda's new TruPrevent Technologies solution alongside their antivirus protection for preventive protection against this worm and other new malicious code. For users of other antivirus solutions on the market, Panda TruPrevent Corporate, for servers and workstations, is the solution. It is compatible with and complementary to the other products and provides a second line of defense as well as preventive protection that runs while the antivirus program is being updated, thereby reducing the risk of infection. More information on TruPrevent Technologies may be found at http://www.pandasoftware.com/truprevent.

For free computer virus detection and removal, users can run Panda ActiveScan, the online antivirus solution available at http://www.pandasoftware.com/

More information about PHP/Santy.A.worm worms may be found in the Panda Software Encyclopedia at http://www.pandasoftware.com/virus_info/encyclopedia/

 

Two observations:
- patchmanagement is required for all systems
- the extremely critical alert notification was correct