PHP Virus

http://securityresponse.symantec.co...hp.virdrus.html

This is pretty interesting. The virus searches for .php files and appends a bit of code to the beginning of them... I couldn't find any reference to what the code actually is, though.

FYI: Some mailing systems are now rejecting emails with "PHP" in the subject because of this...

---John Holmes...

Interesting. Kind of ambigious as to what operating system(s) it attacks and what paths (ftp,email,etc) does it try to exploit. And it doesn't specify what happens once the malicious code is run. Good to know, however.

From symantec's alert page:

When PHP.Virdrus is executed, it performs the following actions:

1. Searches the current folder for files with a .php extension.

2. Opens .php files to determine whether they are already infected.

3. If a .php file is not infected, it prepends the viral code to the infected file.

From the alert page, it seems like this PHP virus is propegated via email, and attacks Windows computers.

Also interesting is the number of PHP viruses listed on Symantec's site: google / symantec / PHP. I'd never heard of a virus written in PHP before this, but it looks as if the first PHP virus was in the wild on 11/13/00.

The thing is, what happens after step three? So there's malicious code in my php files. Someone visits my site. Does the malicious code destroy my file system? Whatever it does, it can't be good!

Yeah, it appeared that it only attacked windows systems based on symentac's solution, but they never explicitly said it. I was also surprised that there are php viruses out there.

Just so everyone's clear, the virus isn't written in PHP, but it affects PHP files somehow. I'd really like to see what it appends to the files.

---John Holmes...

Really? Not to be contradictory, but this is straight from symantec's page:
"PHP.Virdrus is written in PHP."

I'd really like to see what it appends to the files.

Ditto! Too bad symantec doesn't post the virus' code with the warning...

Duh... I don't see how that would work, but okay. I'd really like to see this now...

I know, right? Unless you were running an HTTPD server on your Windows PC when you got hit w/ this virus, I don't see how it would execute... very, very strange indeed.

Maybe we can beg Symantec to see the code?

Hmmm... let me review.

PHP.Pirus is the "first" virus ever written in PHP and after the distribution of this virus, some email companies decided not to accept emails that contains any PHP source codes.

If that's true, then PHP superbs in ASP. So Open Source wins again.

End.

How so? Because its more efficient for writing viruses? Hardly the reputation for quality PHP developers are striving for, I would think.

Does anyone know what the code does? I understand them not posting the code, but why don't they say what it does? And does sardonyx mean that PHP is superb to ASP?