IT@TT - Online

A Dangerous Portend

Well, despite the absence of any serious viral activity since Krizmas (sorry Christmas), there is a dangerous portend in PHP-driven viruses. The brief hiatus in the war against viruses seems to be related to most virus writers being holidaying humans who have taken a break. However, I foresee a surge in virus sightings by February-March 2k+1.

The dangerous portend are HTML-based viruses that execute a script. Since the compilation and execution is done on-the-fly, its pretty hard to prevent such infectors. The only defense we have is that these need to be embedded in PHP pages. And that presumes the site administrator knows about the content. Unless the site itself is hacked.

The new year sees the spread of another PHP-driven viruses. PHP is a server-side, cross-platform, HTML embedded scripting language. It is used to generate, on-the-fly dynamic Web page content. PHP is much faster than conventional HTML-based and is dependent on the client's ability to parse the page. I believe the two known examples were "proofs-of-concept" that managed to make their way into open cyberspace. Still, forewarned is fore armed.

PHP/Pirus, sighted in October 2k, was the first known PHP virus. It infects .PHP and .HTM files in the current directory on web servers running PHP. It does so by inserting a server-side include (SSI) command in to the beginning of such files. When run, the virus searches for .PHP and .HTM files. If any such uninfected files are found, the virus attempts to insert a SSI at the front of that file which instructs PHP to serve the content of the original viral file at the beginning of that file. The text inserted is -
<?php
include(\"FILENAME.PHP\");
?>"

PHP/NewWorld is the second PHP virus. This too runs a script buried in its page code. The script will display "Neworld.PHP Welcome To The New World Of PHP Programming."
The script also contains "Made By Xmorpfic The Black Cat Virii Group" which are hidden. The virus looks in C:\WINDOWS for host files with .PHP, .HTML, .HTM or .HTT extensions. If such files are not read-only, they the virus will run and check each file for 'neworld.php'. If it doesn't find this string , the virus will attempts to insert a server-side include at the front. This instructs PHP to serve the content of the original viral file at the beginning of that file. The text inserted is
"
<?php
include(\"FILENAME.PHP\");
?>"

The only way to remove the virus is to search your system for PHP files and check each one. If you find an SSI pointing to FILEWORLD.PHP delete it.

The other virus warning is about another VBS script virus. Tqll-AJAN, infects Microsoft Outlook. As is common to such infectors, the worm arrives as an email with the subject "New Year !" The message body reads "Wow Happy New Year !" The attachment HAPPYNEWYEAR.TXT.VBS installs and launches a backdoor Trojan (Backdoor/Psychware.G.Server) on the infected system. The worm then sends itself as an attachment to every address listed in Outlook Address Book. The Trojan (3k.exe) attempts to download Teen.exe.

Govind Menon
[email protected]

Top

Other Articles