NEWS FROM THE LAB - Sunday, January 2, 2005

Anti-Santy-Worm dying out Posted by Mikko @ 07:40 GMT

Abuse message
We haven't been getting more reports of the Anti-Santy-Worm (aka Net-Worm.Perl.Asan.a), so the outbreak seems to have died out.

There's a lot of PHP activity going around. Once again a Brazilian bot herder group has been active, this time with another Spyki variant (Net-Worm.Spyki.d). This one scans for almost 50 different known PHP weaknesses, vulnerabilities or common coding mistakes in order to find web sites to infect.

Infected machines have an IRC bot installed to them, and will try to connect to channel #perl on a server named "redex.a.la". However, since this morning that address has resolved to So at least this botnet is effectively down for now.

This variant is hosting it's files at www.5wk.com, which seems to be an abandoned website now taken over by this group.