By Bob Sullivan Technology correspondent
updated 12/21/2004 3:19:18 PM ET 2004-12-21T20:19:18

A new computer worm that attacks bulletin board services spread silently and quickly around the Internet Tuesday, infecting at least 38,000 systems within a few hours, experts said. The worm does not attack home computers, but consumers might encounter its effects.  Bulletin boards that are infected will show a simple text message: "This site is defaced!!! This site is defaced!!! NeverEverNoSanity."

The worm only attacks widely used message board software called PHP Bulletin Board. Other than displaying the text message, it does nothing malicious to infected computers, according to antivirus firm Kaspersky Labs. Because it spread rather quickly Tuesday morning, F-Secure Corp. issued an alert about Santy.

"This is spreading very rapidly," said Ken Dunham, director of malicious code research at iDefense Inc. 

As a network-based worm, the malicious program is capable of making the rounds quickly without any user interaction, such as clicking on an e-mail attachment. In that way, Santy is similar to the Code Red or Nimda attacks, but the list of potentially vulnerable computers is far more limited that those attacks, said virus researcher Oliver Friedrichs of Symantec Corp.

Santy searches for its digital victims using the Google search engine, Dunham said. The malicious program searches for a particular string of text to find computers running the vulnerable bulletin board software, then attacks them.

"It only takes so long to Google and deface," he said.

Friedrichs said attacks that take advantage of the powerful Google search engine are becoming more common. Earlier this year, the MyDoom computer virus temporarily disabled Google by harvesting e-mail addresses through the service.

"It's not the first time we've seen a threat leveraging Google," he said. "It's extremely attractive to worm (author) who relies on gathering information like e-mail addresses. ... this is a trend we expect to continue."

Another intriguing Santy trick: The worm brags about infecting "generations" of computers.  Worms spread exponentially. The first infected computer may attack a dozen or more machines, each of which in turn attacks another dozen, and so on.  Even after just four or five levels -- like generations in a family tree -- the attack is widespread. 

Santy keeps track of its family tree, announcing which generation has arrived on an infected computer.  Searches for infected machines at 3 p.m. ET Tuesday showed the worm had already reached generation 24.

"It does appear to be continuing to spread," Dunham said.

© 2013 Reprints


Discussion comments


Most active discussions

  1. votes comments
  2. votes comments
  3. votes comments
  4. votes comments