Thread: PHP Virus

Page 1 of 2 12 Last
  • Jump to page:
    #1
  1. Banned (not really)
    Devshed Supreme Being (6500+ posts)

    Join Date
    Dec 1999
    Location
    Brussels, Belgium
    Posts
    14,643
    Rep Power
    4492

    PHP Virus


    http://securityresponse.symantec.com...p.virdrus.html

    This is pretty interesting. The virus searches for .php files and appends a bit of code to the beginning of them... I couldn't find any reference to what the code actually is, though.

    FYI: Some mailing systems are now rejecting emails with "PHP" in the subject because of this...

    ---John Holmes...
    -- Cigars, whiskey and wild, wild women. --
  2. #2
  3. 300lb Bench!
    Devshed Regular (2000 - 2499 posts)

    Join Date
    Aug 2001
    Location
    New York
    Posts
    2,350
    Rep Power
    62
    Interesting. Kind of ambigious as to what operating system(s) it attacks and what paths (ftp,email,etc) does it try to exploit. And it doesn't specify what happens once the malicious code is run. Good to know, however.
    Correspondence chess
    nothingbutchess.com
  4. #3
  5. Moderator Emeritus
    Devshed Supreme Being (6500+ posts)

    Join Date
    Feb 2002
    Location
    Austin, TX
    Posts
    7,186
    Rep Power
    2265
    From symantec's alert page:

    When PHP.Virdrus is executed, it performs the following actions:

    1. Searches the current folder for files with a .php extension.

    2. Opens .php files to determine whether they are already infected.

    3. If a .php file is not infected, it prepends the viral code to the infected file.

    From the alert page, it seems like this PHP virus is propegated via email, and attacks Windows computers.

    Also interesting is the number of PHP viruses listed on Symantec's site: google / symantec / PHP. I'd never heard of a virus written in PHP before this, but it looks as if the first PHP virus was in the wild on 11/13/00.
    DrGroove, Devshed Moderator | New to Devshed? Read the User Guide | Connect with me on LinkedIn
  6. #4
  7. 300lb Bench!
    Devshed Regular (2000 - 2499 posts)

    Join Date
    Aug 2001
    Location
    New York
    Posts
    2,350
    Rep Power
    62
    3. If a .php file is not infected, it prepends the viral code to the infected file.
    The thing is, what happens after step three? So there's malicious code in my php files. Someone visits my site. Does the malicious code destroy my file system? Whatever it does, it can't be good!

    Yeah, it appeared that it only attacked windows systems based on symentac's solution, but they never explicitly said it. I was also surprised that there are php viruses out there.
    Correspondence chess
    nothingbutchess.com
  8. #5
  9. Banned (not really)
    Devshed Supreme Being (6500+ posts)

    Join Date
    Dec 1999
    Location
    Brussels, Belgium
    Posts
    14,643
    Rep Power
    4492
    Just so everyone's clear, the virus isn't written in PHP, but it affects PHP files somehow. I'd really like to see what it appends to the files.

    ---John Holmes...
  10. #6
  11. Moderator Emeritus
    Devshed Supreme Being (6500+ posts)

    Join Date
    Feb 2002
    Location
    Austin, TX
    Posts
    7,186
    Rep Power
    2265
    Originally posted by Sepodati
    Just so everyone's clear, the virus isn't written in PHP, but it affects PHP files somehow. I'd really like to see what it appends to the files.

    ---John Holmes...
    Really? Not to be contradictory, but this is straight from symantec's page:
    "PHP.Virdrus is written in PHP."
    DrGroove, Devshed Moderator | New to Devshed? Read the User Guide | Connect with me on LinkedIn
  12. #7
  13. Moderator Emeritus
    Devshed Supreme Being (6500+ posts)

    Join Date
    Feb 2002
    Location
    Austin, TX
    Posts
    7,186
    Rep Power
    2265
    I'd really like to see what it appends to the files.

    Ditto! Too bad symantec doesn't post the virus' code with the warning...
    DrGroove, Devshed Moderator | New to Devshed? Read the User Guide | Connect with me on LinkedIn
  14. #8
  15. Banned (not really)
    Devshed Supreme Being (6500+ posts)

    Join Date
    Dec 1999
    Location
    Brussels, Belgium
    Posts
    14,643
    Rep Power
    4492
    Originally posted by drgroove
    Not to be contradictory, but this is straight from symantec's page: "PHP.Virdrus is written in PHP."
    Duh... I don't see how that would work, but okay. I'd really like to see this now...
    -- Cigars, whiskey and wild, wild women. --
  16. #9
  17. Moderator Emeritus
    Devshed Supreme Being (6500+ posts)

    Join Date
    Feb 2002
    Location
    Austin, TX
    Posts
    7,186
    Rep Power
    2265
    Originally posted by Sepodati
    Duh... I don't see how that would work, but okay. I'd really like to see this now...
    I know, right? Unless you were running an HTTPD server on your Windows PC when you got hit w/ this virus, I don't see how it would execute... very, very strange indeed.

    Maybe we can beg Symantec to see the code?
    DrGroove, Devshed Moderator | New to Devshed? Read the User Guide | Connect with me on LinkedIn
  18. #10
  19. sardonyx quinx
    Devshed Newbie (0 - 499 posts)

    Join Date
    Sep 2003
    Posts
    156
    Rep Power
    12
    Hmmm... let me review.

    PHP.Pirus is the "first" virus ever written in PHP and after the distribution of this virus, some email companies decided not to accept emails that contains any PHP source codes.

    If that's true, then PHP superbs in ASP. So Open Source wins again.

    End.
  20. #11
  21. Moderator Emeritus
    Devshed Supreme Being (6500+ posts)

    Join Date
    Feb 2002
    Location
    Austin, TX
    Posts
    7,186
    Rep Power
    2265
    Originally posted by sardonyx
    PHP superbs in ASP
    How so? Because its more efficient for writing viruses? Hardly the reputation for quality PHP developers are striving for, I would think.
    DrGroove, Devshed Moderator | New to Devshed? Read the User Guide | Connect with me on LinkedIn
  22. #12
  23. No Profile Picture
    Shine On Me
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2003
    Location
    Yes
    Posts
    55
    Rep Power
    12
    Does anyone know what the code does? I understand them not posting the code, but why don't they say what it does? And does sardonyx mean that PHP is superb to ASP?
    "Reality is slowly loosing its grip on me."
    - Slipping Grip
  24. #13
  25. Banned (not really)
    Devshed Supreme Being (6500+ posts)

    Join Date
    Dec 1999
    Location
    Brussels, Belgium
    Posts
    14,643
    Rep Power
    4492
    Can one thing be "superb" to another?
  26. #14
  27. Moderator Emeritus
    Devshed Supreme Being (6500+ posts)

    Join Date
    Feb 2002
    Location
    Austin, TX
    Posts
    7,186
    Rep Power
    2265
    Originally posted by slipping_grip
    And does sardonyx mean that PHP is superb to ASP?
    I'm not sure sardonyx knows...
    DrGroove, Devshed Moderator | New to Devshed? Read the User Guide | Connect with me on LinkedIn
  28. #15
  29. No Profile Picture
    Shine On Me
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2003
    Location
    Yes
    Posts
    55
    Rep Power
    12
    I don't know. But anyways what does that virus actualy do? Is it just trying to be friends, but it is being stifled by Symantec? Or is it a malevolent demon bent on the destruction of PHP?
    "Reality is slowly loosing its grip on me."
    - Slipping Grip
Page 1 of 2 12 Last
  • Jump to page:

IMN logo majestic logo threadwatch logo seochat tools logo