To remove the virus, follow these steps:
- kill perl processes that execute the \"ssh.*.worm\" or \"botb\" perl scripts.
- delete \"ssh.*.wom\" and \"botb\" scripts in the /tmp directory.
- upgrade to a non-vulnerable PHPBB version.
Bitdefender Virus Researcher.
The virus is a Perl script, supposedly developed from the Worm.PhpBB.Santy.A source code.
It uses a vulnerability in the PHPBB forum code to propagate itself. The list of sites is obtained from Google search and Yahoo Cade search (version A) or Yahoo Cade and AOL Search (version B).
After finding a suitable target, the virus then exploits the PHPBB code and if the PHPBB code is vulnerable, the exploit will perform several commands:
- kills all perl and wget processes.
- downloads the worm and a perl scripted backdoor (Backdoor.Perl.Shellcode.B) to the /tmp directory
- starts the worm and the backdoor
- deletes all ssh.* and bot* files in the tmp directory