p2pnet - rss feed: New Anti-Santy worm
p2pnet.net Virus News:- There’s a new, allegedly friendly, Anti-Santy worm on the loose which purports to patch phpBB-powered bulletin board systems.
But remember Sasser?
It was meant to help rather than harm. In the end, however, it fouled up Delta Airlines in the US, the British Coast Guard and the European Commission in Brussels, among thousands of systems around the world.
Santy achieved notoriety by finding phpBB-powered bulletin board sites via Google, and then erasing their pages and replacing them with:
This site is defaced!!!
NeverEverNoSanity WebWorm generation X
“We don’t have all the details yet, but this one seems to be using search engines to find vulnerable discussion forum sites and infects them via the phpBB highlight vulnerability,” writes F-Secure research manager Mikko Hypponen on the company’s blog.
“Then the worm tries to patch the system so Santy variants won’t be able to infect it any more. Finally, the worm drops a file called secure.php which contains this text and continues spreading further.”
But, warns Hypponen , “This is not a beneficial worm. We have no idea how safe the patch the worm applies really is.
“We also have reports from phpBB administrators whose site is perfectly safe already to be under a denial-of-service attack caused by multiple requests created by this worm.”
===========================
See:-
fouled up - Sasser author a ’scriptkiddy’, p2pnet, May 14, 2004
achieved notoriety - New Santy worms show up, p2pnet, December 28, 2004
not a beneficial worm - Anti-Santy-Worm going around?, F-Secure, December 31, 2004
