A new worm that uses the Google search engine to locate victims has been unearthed. Its existence first came to light at the beginning of the week.
The worm, known as Santy.A, takes advantage of a critical software vulnerability in the free phpBB open source software widely used to create and maintain online bulletin boards. It appears the worm may use a vulnerability in the PHP scripting language that was recently patched, according to Alexey Zernov of antivirus company Kaspersky Labs.
Individual users aren’t at risk. Instead, it targets computer servers that host online bulletin boards and defaces their sites. Santy uses Google to find web addresses that use a special string, viewtopic.php, common to bulletin boards using the phpBB software.
PhpBB and other common software packages are written using PHP.
Once Santy infects servers running the phpBB software, it scans directories on the infected site and overwrites files with the extensions HTM, PHP, ASP, SHTM, JSP and PHTM with the text ‘This site is defaced!!! This site is defaced!!! NeverEverNoSanity WebWorm generation’.
The worm also launches a search on the Google search engine for URLs (uniform resource locators) that use a special string, viewtopic.php, which is common to bulletin boards written using the phpBB software, F-Secure spokesman Mikko Hypp"nen said.
The worm’s reliance on Google could be its downfall, however. If the search engine company can block the search text used by Santy.A, it would stop the worm from spreading, Hypp"nen said.
Santy.A is not believed to deposit Trojan horse programs or other malicious code on the systems it infects. However, Hypp"nen believes it could act as a road map for malicious hackers who are looking for vulnerable computers to exploit.
Both F-Secure and Kaspersky Labs have posted updated antivirus definitions that can spot the Santy.A worm and advise customers to update their antivirus software as soon as possible.