NEWS FROM THE LAB - Friday, December 31, 2004

Anti-Santy-Worm going around? Posted by Mikko @ 09:34 GMT

There seems to be a new phpBB worm going around.

We don't have all the details yet, but this one seems to be using search engines to find vulnerable discussion forum sites and infects them via the phpBB highlight vulnerability. Then the worm tries to patch the system so Santy variants won't be able to infect it any more.

Finally, the worm drops a file called secure.php which contains this text and continues spreading further.

Anti-Santy-Worm defacement

This is not a beneficial worm. We have no idea how safe the patch the worm applies really is. We also have reports from phpBB administrators whose site is perfectly safe already to be under a denial-of-service attack caused by multiple requests created by this worm.