PHP.Pirus

                     Discovered on: November 9, 2000
                     Last Updated on: November 13, 2000 0 4:02:47 PM PST


                       PHP.Pirus is the first virus written in PHP, a server-side
                     scripting language used for dynamic Web page generation. 

                     The virus searches for .php and .htm files and inserts code to call
                     itself. The virus executes only on servers with PHP interpreters. 

                     This virus cannot be contracted by simply visiting an infected
                     Web page. 

                     Category: Virus

                     Infection length: 718 bytes

                     Virus definitions: November 13, 2000

                     Threat assessment: 





                        Wild: 
                        Low 
                                  Damage: 
                                    Low 
                                            Distribution:

                                               Low 



                     Wild 

                          Number of infections: 0-49 
                          Number of sites: 0-2 
                          Geographical distribution: Low 
                          Threat containment: Easy 
                          Removal: Easy 

                     Technical description: 

                     This virus is written in PHP and is contained in a file that is 718
                     bytes long. 

                     When executed, the virus searches the current directory for files
                     with .php or .htm extensions. If one of these files is writable, the
                     virus opens the file to determine if the file is already infected. If the
                     file is not infected, the virus inserts a line to execute the original
                     viral file rather than appending itself to the infected file. 

                     Removal: 

                     The name of the viral file may vary, therefore to properly remove
                     this threat, one should: 

                       1.Delete the original viral file. 
                       2.Remove the PHP code that loads the viral file from all .php
                          and .html files. 

                     eg.  If the viral file is named "virus.php", then the following code
                     segment should be deleted from all files in which it is contained: 

                     <php
                     include "virus.php"
                     /php>