Anti-Santy worm on the prowl

An anti-Santy worm that uses search engines to spread among online bulletin boards has been spotted, a security company has reported.

F-Secure said on Friday that it was aware of seven sites that had been defaced by the worm, which appears designed to combat the Santy worm. The anti-Santy worm searches Google for sites that use the PHP Bulletin Board (phpBB) software exploited by the earlier worm, infects the sites and attempts to make the sites more secure by installing a patch.

Mikko Hypp?nen, director of antivirus research at F-Secure, said that although the worm may seem beneficial, in fact it is likely to cause problems for administrators who will have to handle the increase in traffic.

"I can't comment how effective it is in fixing the sites," said Hypp?nen. "If a site is infected, the worm causes a huge amount of traffic and slows down the site. I don't think it's possible to write a beneficial worm."

Sites that have been attacked by the anti-Santy worm are defaced with the words: "viewtopic.php secured by Anti-Santy-Worm V4. Your site is a bit safer, but upgrade to >= 2.0.11."

Hypp?nen said he has seen two versions of the defacement page, which lead to two different IP addresses. Both IP addresses resolve to Argentina, which suggest that that is where the anti-Santy worm originated.

The Santy worm wreaked havoc in the weeks before Christmas, spreading to more than 40,000 Web sites by Dec. 21. On Dec. 22, Google started blocking queries that were generated by the worm, to stop the worm from replicating. But a few days later it was discovered that it was using America Online and Yahoo's search engines and was still targeting Google.