My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Exploit.Perl.Gog.A

MEDIUM
HIGH
1
(Worm.PhpBB.Santy.A)

Symptoms

Defaced website

Removal instructions:

Analyzed By

Sorin Victor Dudea

Technical Description:

Exploit.Perl.Gog.A will be renamed to Worm.PhpBB.Santy.A

This is a network worm that spreads using vulnerability in PhpBB with version prior to 2.0.11.

When the worm is executed it sends a search request at www.google.com trying to find sites that uses PhpBB. It then sends two requests to the found sites, one for writing itself to the target machine and the other one for starting itself remote.

On the infected machine:

It checks to see if the file stop.it exists. If that file exists worm stops.
It runs the payload function.
After that it starts the spreading routine described above.

Payload function:

It replaces recursively all the files with the following extensions:

.htm, .php, .asp, .shtm, .jsp, .phtm

with the following text:

This site is defaced!!!
NeverEverNoSanity WebWorm generation

This worm is currently under analysis. More information will be published soon.