1. Symantec/
  2. Security Response/
  3. Perl.Santy


Risk Level 2: Low

December 21, 2004
February 13, 2007 12:31:16 PM
Also Known As:
Perl.Santy.A [Computer Associa, Santy [F-Secure], Net-Worm.Perl.Santy.a [Kaspers, Perl/Santy.worm [McAfee], PHP/Santy.A.worm [Panda], Perl/Santy-A [Sophos], WORM_SANTY.A [Trend Micro]
Systems Affected:
UNIX, Windows

Perl.Santy is a worm written in Perl script that attempts to spread to Web servers running versions of the phpBB 2.x bulletin board software prior to 2.0.11, which are vulnerable to the PHPBB Viewtopic.PHP PHP Script Injection Vulnerability (BID 10701). Other systems are not affected. If successful, the worm copies itself to the server and overwrites the files with the following extensions:
  • .asp
  • .htm
  • .jsp
  • .php
  • .phtm
  • .shtm

The worm uses the Google search engine to find potential new infection targets. Google has now implemented blocking Perl.Santy search requests, which is expected to greatly reduce the worm's ability to propagate and lower the risk of further infections.

Antivirus Protection Dates

  • Initial Rapid Release version December 21, 2004
  • Latest Rapid Release version September 22, 2016 revision 004
  • Initial Daily Certified version December 21, 2004
  • Latest Daily Certified version September 22, 2016 revision 025
  • Initial Weekly Certified release date December 21, 2004
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.
Writeup By: Jeong Mun

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
2016 Internet Security Threat Report, Volume 21
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube