This is pretty interesting. The virus searches for .php files and appends a bit of code to the beginning of them... I couldn't find any reference to what the code actually is, though.
FYI: Some mailing systems are now rejecting emails with "PHP" in the subject because of this...
---John Holmes...
Interesting. Kind of ambigious as to what operating system(s) it attacks and what paths (ftp,email,etc) does it try to exploit. And it doesn't specify what happens once the malicious code is run. Good to know, however.
From symantec's alert page (http://securityresponse.symantec.com/avcenter/venc/data/php.virdrus.html):
When PHP.Virdrus is executed, it performs the following actions:
1. Searches the current folder for files with a .php extension.
2. Opens .php files to determine whether they are already infected.
3. If a .php file is not infected, it prepends the viral code to the infected file.
From the alert page, it seems like this PHP virus is propegated via email, and attacks Windows computers.
Also interesting is the number of PHP viruses listed on Symantec's site: google / symantec / PHP (http://www.google.com/search?q=php%20site%3Ahttp%3A//securityresponse.symantec.com&sourceid=mozilla-search&start=0&start=0&ie=utf-8&oe=utf-8). I'd never heard of a virus written in PHP before this, but it looks as if the first PHP virus (http://securityresponse.symantec.com/avcenter/venc/data/php.pirus.html) was in the wild on 11/13/00.
3. If a .php file is not infected, it prepends the viral code to the infected file.
The thing is, what happens after step three? So there's malicious code in my php files. Someone visits my site. Does the malicious code destroy my file system? Whatever it does, it can't be good! :D
Yeah, it appeared that it only attacked windows systems based on symentac's solution, but they never explicitly said it. I was also surprised that there are php viruses out there.
Just so everyone's clear, the virus isn't written in PHP, but it affects PHP files somehow. I'd really like to see what it appends to the files.
---John Holmes...
Originally posted by Sepodati
Just so everyone's clear, the virus isn't written in PHP, but it affects PHP files somehow. I'd really like to see what it appends to the files.
---John Holmes...
Really? Not to be contradictory, but this is straight from symantec's page:
"PHP.Virdrus is written in PHP."
I'd really like to see what it appends to the files.
Ditto! Too bad symantec doesn't post the virus' code with the warning... :(
Originally posted by drgroove
Not to be contradictory, but this is straight from symantec's page: "PHP.Virdrus is written in PHP." Duh... I don't see how that would work, but okay. I'd really like to see this now... :)
Originally posted by Sepodati
Duh... I don't see how that would work, but okay. I'd really like to see this now... :)
I know, right? Unless you were running an HTTPD server on your Windows PC when you got hit w/ this virus, I don't see how it would execute... very, very strange indeed.
Maybe we can beg Symantec to see the code? :D
Hmmm... let me review.
PHP.Pirus is the "first" virus ever written in PHP and after the distribution of this virus, some email companies decided not to accept emails that contains any PHP source codes.
If that's true, then PHP superbs in ASP. So Open Source wins again.
End.
Originally posted by sardonyx
PHP superbs in ASP
How so? Because its more efficient for writing viruses? Hardly the reputation for quality PHP developers are striving for, I would think.
Does anyone know what the code does? I understand them not posting the code, but why don't they say what it does? And does sardonyx mean that PHP is superb to ASP?
Can one thing be "superb" to another?
Originally posted by slipping_grip
And does sardonyx mean that PHP is superb to ASP?
I'm not sure sardonyx knows... :rolleyes:
I don't know. But anyways what does that virus actualy do? Is it just trying to be friends, but it is being stifled by Symantec? Or is it a malevolent demon bent on the destruction of PHP?
Originally posted by slipping_grip
I don't know. But anyways what does that virus actualy do? Is it just trying to be friends, but it is being stifled by Symantec? Or is it a malevolent demon bent on the destruction of PHP?
The links above to symantec's site describe what the virus does...
1.Searches the current folder for files with a .php extension.
2.Opens .php files to determine whether they are already infected.
3.If a .php file is not infected, it prepends the viral code to the infected file.
prepends...
4. The virus copies a malicious code to a PHP file that are not yet infected with it's evil plan.
Just as the virus name itself, Pirus, also means to spread. Oh well... thanks.
Quick, post my email everywhere you know so that I get that stupid virus, run it and post the code here!