F-Secure: Be Sure
Main
F-Secure Logo - Be Sure
Select local site


Privacy Policy
Legal Notices
Contact Us

F-Secure Virus Descriptions : Santy

[Summary] | [Detailed Description] | [Detection]

THIS VIRUS IS RANKED AS LEVEL 2 ALERT UNDER
F-SECURE RADAR.
Radar Alert LEVEL 2

NAME:Santy
ALIAS:Net-Worm.Perl.Santy.a

Summary

Santy is a worm was found at December 21st, 2004. It uses a vulnerability in popular phpBB discussion forum software to spread and it uses Google search engine to find vulnerable servers. It does not infect end user computers.

Google has started filtering requests made by the worm at December 22nd, 2004, in order to stop the worm.

Detailed Description

The worm is written in Perl scripting language. When executed, the worm uses the Google search engine to look for hosts that have phpBB software in use. It does this by searching URLs that contain string "viewtopic.php". In order to get different results with different searches, the worm uses a random string in the search as well.

After the search has been performed, the worm parses the resulting page and attempts to exploit a vulnerability in phpBB software. This vulnerability, known as Highlight Vulnerability, can be used to execute arbitary code on the server running vulnerable version of phpBB. Further information about the vulnarbility is available from phpBB web site at:

http://www.phpbb.com/phpBB/viewtopic.php?t=240513

If the worm is able to exploit the vulnerablity, it will attempt to transfer itself to the victim host in 20-byte chunks. If any of the chunks is lost during the transfer, it will cause the worm to get corrupted, which can render the worm disfunctional on the victim.

The worm is written to a file "m1ho2of" on the victim. After the transfer is complete, the worm will use the exploit once again to execute the code using the system default Perl interpreter.

Santy contains also a generation counter that is increased every time the worm is executed, i.e. once per infected host. If the number of generations is higher than three (3), it will execute its payload. The payload attempts to replace all files with the following extensions ".htm", ".php", ".asp", ".shtm", ".jsp" and ".phtm". The result is the these files are replaced with a HTML page that contains the following text: 

 This site is defaced!!!
 NeverEverNoSanity WebWorm generation X

...where X keeps growing from one infection to another.

The effect is that all replaced pages on the infected sites look like this:


Back to the Top


Detection

Detection for this malware was published on December 21st, 2004 in the following F-Secure Anti-Virus updates:

[FSAV_Database_Version]

Version=2004-12-21_03


Back to the Top


Write-up: Mikko Hypponen, December 21st, 2004;

Technical Details: Katrin Tocheva, Tzvetan Chaliavski, Sami Rautiainen, Ero Carrera, December 21st-22nd, 2004;

F-Secure Corporation