PHP Virus

blr32

Central Command Discovers First Virus to Use PHP Scripting Language
to Infect Computers

PHP.NewWorld Virus represents the first step in a new direction of
virus writing in the year 2001

MEDINA, Ohio, January 5, 2001 - Central Command, a leading provider
of PC anti-virus software and computer security services, and its
partners today announced the discovery of PHP.NewWorld, the first
virus using the Hypertext Preprocessor (PHP) scripting language to
infect computer systems.

PHP (www.php.net) is one of the most popular scripting languages
used in the development of e-commerce and heavy content websites.
It gained its popularity thanks to its user-friendly programming
features, and the incorporation of cross platform compatibility
between Windows, Linux, and UNIX environment features included
within the language.

"Although PHP.NewWorld is currently not a major threat, it marks a
new step toward new virus generation," said Steven Sundermeier,
Product Manager at Central Command, Inc.

The PHP programming language has become a standard in dynamic
website development. A majority of websites that incorporate user
interaction and personalization rely on PHP, making it an appealing
target for virus writers.

"Because the PHP language is absolutely free, we are anticipating
that copycats of this PHP script virus will become prominent and
will have much more damaging consequences in the near future,"
concluded Sundermeier.

PHP.NewWorld is spread to a system when executing an infected
script.

Description of PHP.NewWorld:

Name: PHP.NewWorld
Alias: None
Detection included in AVX Professional: 2001-01-05
Spreading method: uses PHP script functions

Description: PHP.NewWorld looks for .php, .hm, .html or .htt files
in the C:\Windows directory. All files found with these extensions
will become infected. When a user executes a .php file, the virus
body will be executed from an external file and will take full
control. In the case that the string "NewWorld.PHP" is identified
as already existing, the infection routine will not be launched
again. Thus, a file will not get infected twice.

PHP.NewWorld has no activation date. The virus is not able to
spread out from the infected system.

AVX Professional has been updated to detect and remove
PHP.NewWorld. A free 30-day trial version may be downloaded from
www.avx.com or obtained by contacting Central Command toll-free at
866-2-GET-AVX (866-243-8289).

About Central Command: A leader in the anti-virus industry, Central
Command, Inc., a privately held company, was founded in 1990 and
serves home PC users and industrial, government, financial,
education and service firms with virus protection software,
services, and information. The company services customers in over
40 countries and is headquartered in Medina, Ohio.

Central Command, EVRT, Emergency Virus Response Team are trademarks
of Central Command Inc. AVX and AntiVirus eXpert are trademarks of
Softwin SRL, Romania. All other trademarks, trade names, and
products referenced herein are property of their respective owners.

Anon

If this is true then it is a shame. Why would people make a virus using PHP?

Do people have to destroy technology that is absolutely free?

[deleted]

Uhm.... like, go away dude...

"The virus is not able to spread out from the infected system. "

Then what do I care?

"Description: PHP.NewWorld looks for .php, .hm, .html or .htt files in the C:\Windows directory."

Again, what do I care? PHP is used much more widely on un*x.
And even the "few" windows users will have their document root setup outside the c:/windows directory.

And the kicker:
"In the case that the string "NewWorld.PHP" is identified as already existing, the infection routine will not be launched again."

Ergo, the viruskiller would be a simple includefile at the top of each PHP script:

if(isset($NewWorld.PHP))
{
echo "infected\n";
exit;
}

Not really worth bying an antivirus program for now is it?

Anon

If you have your .php (or other web) files writeable by the server process, then yeah this may be a problem for you ... But otherwise I don't forsee this as becoming any real problem.

If your document files are writeable by the server process, this is probably the least of your worries.

-- Steve

docdunning

Well, McAfee acknowledge the existence of this as a virus, although they say its the second, behind "php.pirus".

Tell me this - I thought php was a server side process - how can it open/update client-side files as "C:/WINDOWS/..."? Or is the idea that such a virus can only infect servers?

Meantime, I'm not about to panic.

[deleted]

HMm macafee... hmm yes ok... :-)

That is just the point, PHP is a serverside thing, but it is a very powerfull thing.
So, if you have your permissions setup wrong, or you run windows 🙂 , PHP can access just about every file on your computer and do whatever it likes with it.

But... like the warning said: it can't infect outside it's host.
That means you have to actively download a script and blindly run it on your server to get infected, which is... how do I put this politely... ehm.. dumb?

Really, if the writers of this "virus" had a bit more brains they could have a lot more "fun" than just prodding around in a few windoze files...

Anon

This message board was intended for use by professional PHP developers. Professional meaning those who exhibit a certain level of maturity. You obviously are a pretentious amateur and obviously lack communication skills.

You should be ashamed of yourself.

blr32

Ashamed of What?, Why?
Mind you that i'm only distrubuting information sent out by AVX.com.
This information is public and I strongly believe that this is something that should have the interest of this phorum.
Eventhough unlikely, this virus can be the start of a series of PHP virii.
You just never know.

[deleted]

I think that comment was meant for me Duke, don't you go around taking credit for smart remarks by "jimmy" :-) this one's mine! 🙂

Anon

Hi,

I'm terribly sorry cause I've to jump in,...
But I just couldn't resist it.
Who would make a virus for php or some other open sourse inv.^!!
Those m---- f---- from the clossed source business,... & we all do know who they are!!! Don't need to mention that, huh!!!

Another more reason to continue to devolop everything (I migrated from asp & so on) in an open source mind,... (& to throw away all their worthless systems & bug guarantee closed solutions) their's final day's are already counted... Their system will die finaly. Hope sonner than they can imagine.

HTH

-Klaus

Anon

Klaus is right.

Those f----en big advertising machines has a big stake at this sort of thing....

Still...:
why is dubbed as a PHP virus - any server side scripting method can do what the
??NewWorld Virus?? can do ... e.g. DOS batch file running as a CGI, MS ASP[@!#$ @!#$ @!#$ did I say that] -- am I the only one here who notices that Central Command might have something to do with the dare I say conspiracy to associate PHP with Viruses? Oops .. I said it again... well think any web server OS that allows writing of local files in the system folders is dump dump fu---en stupid.

This is not a PHP virus - PHP was simply used as real programming tool to show how vulnerable Microsoft Windows OSes are.

If this kind of virus naming continues then they [AV vendors] should rename all viruses to the programming languages that the Viruses were written in. e.g the first Assembly virus, or the First c++ virus or the First Cobol virus ... get the drift ...

.... PHP still RULES ....
ciao

Anon

I want a souce code for killer virus.
You can help me!
Thanks verry verry must.

Magnus wrote:

If this is true then it is a shame. Why would people make a virus using PHP?

Do people have to destroy technology that is absolutely free?

Anon

anybody got the source to it? =]

Anon

Anyone who has it,please put it here🙂