We reported earlier today on the outbreak of the Santy worm that infects web servers running popular bulletin board phpBB.
Sophos have published a detailed analysis of Perl/Santy-A which is spreading rapidly today, according to Internet watchers Netcraft.
Perl/Santy-A is a worm that exploits a vulnerability in the phpBB bulletin board software (for which an update has already been issued). The worm spreads to vulnerable bulletin boards on both Windows and Unix based platforms by conducting a Google search. Once the worm has spread to 3 or more servers it will attempt to overwrite all HTM*, PHP*, ASP*, SHTM*, JSP* and PHTM* files with a web page containing the following message:
This site is defaced!!!
NeverEverNoSanity WebWorm generation #
where # is the number of infection cycles the worm has been through to infect the compromised server.
Webmasters and server operators who run the phpBB software have been advised to upgrade to the most recent version of the software as soon as possible to ensure their security.