Antivirus companies are warning Internet users about a fast-spreading new worm that infects Web servers running a popular package of online bulletin board software, and uses the Google search engine to find vulnerable servers to infect.
The worm, dubbed Santy.A, uses a vulnerability in a popular free software package called phpBB to spread across the Internet, infecting computer servers that host online bulletin boards and defacing those sites with the words "This site is defaced!!! NeverEverNoSanity WebWorm."
A Google spokesman said in an e-mail the company was looking into reports about Santy.A.
The worm does not affect individual computer users, but infects Web servers that are hosting online bulletin boards.
Santy.A was first spotted early Tuesday morning, Eastern Standard Time in the United States, according to Mikko Hypponen, manager of antivirus research at F-Secure in Helsinki.
The worm takes advantage of a critical software vulnerability in the phpBB open source software, which is widely used to create and maintain online bulletin boards. While antivirus companies were still analyzing the worm, it appears that the worm may use a vulnerability in the PHP scripting language that was recently patched, according to Alexey Zernov, a spokesman for antivirus company Kaspersky Labs in Moscow.
PhpBB, as well as other common software packages are written using PHP.
Once Santy infects servers running the phpBB software, it scans directories on the infected site and overwrites files with the extensions HTM, PHP, ASP, SHTM, JSP, and PHTM with the text "This site is defaced!!! This site is defaced!!! NeverEverNoSanity WebWorm generation," according to an alert from Kaspersky Labs.
The worm also launches a search on the Google search engine for URLs that use a special string, viewtopic.php, which is common to bulletin boards written using the phpBB software, Hypponen said.
Block That Worm
The worm's reliance on Google could be its downfall, however. If the search engine company can block the search text used by Santy.A, it would stop the worm from spreading, he said.
Hypponen was trying to contact Google Tuesday to get the company's help in blocking Santy.A requests, he said.
Antivirus experts do not believe Santy.A deposits Trojan horse programs or other malicious code on the systems it infects. Also, Santy does not affect individual computer users, unless they are hosting a bulletin board from their computer that uses the phpBB software, antivirus experts said.
However, Santy.A could act as a road map for malicious hackers who are looking for vulnerable computers to exploit, Hypponen said.
Both F-Secure and Kaspersky Labs posted updated antivirus definitions Tuesday that can spot the Santy.A worm and advised customers to update their antivirus software as soon as possible.