New worm, Santy, using Google to spread

Antivirus companies are warning internet users about a fast-spreading new worm that infects web servers running a popular package...

Antivirus companies are warning internet users about a fast-spreading new worm that infects web servers running a popular package of online bulletin board software, and uses the Google search engine to find vulnerable servers to infect.

The worm, dubbed Santy.A, uses a vulnerability in a popular free software package called phpBB to spread across the internet, infecting computer servers that host online bulletin boards and defacing those sites with the words "This site is defaced!!! NeverEverNoSanity WebWorm."

A Google spokesman said the company was looking into reports about Santy.A.

The worm does not affect individual computer users, but infects web servers that are hosting online bulletin boards.

Santy.A was first spotted early on Tuesday morning (21 December) in the US, said Mikko Hyppönen, manager of antivirus research at F-Secure in Finland.

The worm takes advantage of a critical software vulnerability in the phpBB open source software, which is widely used to create and maintain online bulletin boards (

While antivirus companies were still analysing the worm, it appears that the worm may use a vulnerability in the PHP scripting language that was recently patched, said antivirus company Kaspersky Labs.

PhpBB, as well as other common software packages are written using PHP.

Once Santy infects servers running the phpBB software, it scans directories on the infected site and overwrites files with the extensions HTM, PHP, ASP, SHTM, JSP and PHTM with the text "This site is defaced!!! This site is defaced!!! NeverEverNoSanity WebWorm generation," said an alert from Kaspersky Labs.

The worm also launches a search on the Google search engine for uniform resource locators (URLs) that use a special string, viewtopic.php, which is common to bulletin boards written using the phpBB software, Hyppönen said.

The worm's reliance on Google could be its downfall, however. If the search engine company can block the search text used by Santy.A, it would stop the worm from spreading, he said.

Antivirus experts do not believe Santy.A deposits Trojan horse programs or other malicious code on the systems it infects. Also, Santy does not affect individual computer users, unless they are hosting a bulletin board from their computer that uses the phpBB software, antivirus experts said.

However, Santy.A could act as a road map for malicious hackers who are looking for vulnerable computers to exploit, Hyppönen said.

Both F-Secure and Kaspersky Labs posted updated antivirus definitions that can spot the Santy.A worm and advised customers to update their antivirus software as soon as possible.

Paul Roberts writes for IDG News Service

Read more on IT risk management