Sorin Victor Dudea
Exploit.Perl.Gog.A will be renamed to Worm.PhpBB.Santy.A
This is a network worm that spreads using vulnerability in PhpBB with version prior to 2.0.11.
When the worm is executed it sends a search request at www.google.com trying to find sites that uses PhpBB. It then sends two requests to the found sites, one for writing itself to the target machine and the other one for starting itself remote.
On the infected machine:
It checks to see if the file stop.it exists. If that file exists worm stops.
It runs the payload function.
After that it starts the spreading routine described above.
It replaces recursively all the files with the following extensions:
.htm, .php, .asp, .shtm, .jsp, .phtm
with the following text:
This site is defaced!!!
NeverEverNoSanity WebWorm generation
This worm is currently under analysis. More information will be published soon.