The "Anti-Santy-Worm V4," discovered by anti-virus vendor F-Secure, works very much like the original Santy worm, which used Google search results to randomly find—and deface—phpBB forums.
Google has since tweaked its search engine to filter the worms queries but the public release of the Santy source code continued to put unpatched phpBB sites at risk.
According to an F-Secure advisory, the anti-Santy fixer worm also uses search engines to find vulnerable message boards. "Then the worm tries to patch the system so Santy variants wont be able to infect it any more," the advisory states.
Once a site becomes infected, the Santy mutant drops a file called secure.php with the following text: "Your site is a bit safer, but upgrade to >= 2.0.11 !!"
The "2.0.11" refers to the newest, more secure, version of phpBB.
While the worm purports to have good intentions, F-Secure Director of Anti-Virus Research Mikko H. Hypponen, does not believe in the benefits of renegade fixes. "This is not a beneficial worm. We have no idea how safe the patch the worm applies really is. We also have reports from phpBB administrators whose site is perfectly safe already to be under a denial-of-service attack caused by multiple requests created by this worm," Hypponen said.
The discovery of a "good" worm following a major Web attack isnt entirely new. Last August, at the height of the Blaster worm attack, a fixer worm called Welchia started spreading and attempted to patch the Windows vulnerability.
However, the benefits proved fraudulent because Welchias propagation technique led to swamped network systems and denial-of-service conditions.
Three years ago, during the Code Red outbreak, a good worm called Code Blue was released with the intent to prevent vulnerable Web servers from being infected by Code Red. In 2001, the Cheese worm attempted a similar repair job on Linux systems that had been infected by the Li0n worm.