Spyki.A and Santy.B are two worms that spread via the Internet, exploiting the Remote URLDecode Input Validation vulnerability, which affects servers with a version of phpBB prior to 2.0.11 installed.
Once the server is infected and in order to allow remote access to it, Spyki.A takes the following action:
- Installs several programs that can be controlled via IRC to take malicious action.
- Opens port TCP 6667, and connects to an IRC Server to receive remote commands.
- Scans different ports to see if it finds any open.
Santy.B on the other hand takes the following actions, among others:
- Uses Google, America Online or Yahoo searches to find vulnerable computers.
- Creates scripts -such as BOT.TXT, SSH.A, WORM.TXT or WORM1.TXT-, or downloads them to install a backdoor and connect to different IRC servers.
- Deletes all files called SSH (with any extension), or whose name begins with BOT.
We end todays report with HHelp, a generic detection for malicious code that can Exploit-HelpZonePass, which allows certain security features in Service Pack 2 for Windows XP to be evaded. Malware that uses this exploit to spread can be used to execute arbitrary code on affected computers, with the same permissions as the user that started the session.
HHelp normally affects computers by downloading itself from a malicious web page.
For further information about these and other computer threats, visit Panda Software's Encyclopedia.
- Exploit: This can be a technique or a program that takes advantage of a vulnerability or security hole in a certain communication protocol, operating system, or other IT utility or application.
On receiving a possibly infected file, Panda Software's technical staff get straight down to work. The file is analyzed and depending on the type, the action taken may include: disassembly, macro scanning, code analysis etc. If the file does in fact contain a new virus, the disinfection and detection routines are prepared and quickly distributed to users. For more information: http://www.pandasoftware.com/virus_info/