My Bitdefender
  • 0 Shopping Cart


Facebook Twitter Google Plus




Defaced website

Removal instructions:

Analyzed By

Sorin Victor Dudea

Technical Description:

Exploit.Perl.Gog.A will be renamed to Worm.PhpBB.Santy.A

This is a network worm that spreads using vulnerability in PhpBB with version prior to 2.0.11.

When the worm is executed it sends a search request at trying to find sites that uses PhpBB. It then sends two requests to the found sites, one for writing itself to the target machine and the other one for starting itself remote.

On the infected machine:

It checks to see if the file exists. If that file exists worm stops.
It runs the payload function.
After that it starts the spreading routine described above.

Payload function:

It replaces recursively all the files with the following extensions:

.htm, .php, .asp, .shtm, .jsp, .phtm

with the following text:

This site is defaced!!!
NeverEverNoSanity WebWorm generation

This worm is currently under analysis. More information will be published soon.