I don't think that this affects us here. Just a heads up. A new worm is playing havoc with certain Web sites by exploiting a security hole in PHPbb, a popular program used to create Internet forums, several security firms warned Tuesday. Russian-based Kaspersky Lab was among the first to report sightings of Net.Worm.Perl.Santy-A, labeling it a severe risk. According to the firm, Santy-A is spreading rapidly. "However, this does not directly affect end users," the firm said in a statement. "Although the worm infects Web sites, it does not infect computers used to view these sites." Kaspersky added, "Santy-A is something of a novelty. It creates a specially formulated Google search request, which results in a list of sites running vulnerable versions of PHPbb. It then sends a request containing a procedure which will trigger the vulnerability to these sites. Once the attacked server processes the request, the worm will penetrate the site, gaining control over the resource. It then repeats this routine." Once the worm dominates a site, it scans all the directories. All files with the extensions .htm, .php, .asp, .shtm, .jsp and .phtm are overwritten with the text "This site is defaced!!! This site is defaced!!! NeverEverNoSanity WebWorm generation." Apart from defacing infected sites with this text, Kaspersky said the worm has no payload. It will not infect machines used to view compromised sites. The firm recommends PHPbb users upgrade to version 2.0.11 to keep their sites from being defaced. Finnish security firm F-Secure Corp. and Lynnfield, Mass.-based Sophos also confirmed sightings of Santy-A. "It's out there. It's spreading. It seems to be pretty bad. We're still analyzing further," Mikko Hypponen, F-Secure's director of AV research, said in an e-mail. "It's a perl worm searching vulnerable forum sites via Google. When hit, the site gets defaced and restarts Google scanning." "I know that security holes have been found in PHPbb's software in the past, so it is important that people keep up to date with their security patches and latest revisions," Graham Cluley, senior technology consultant for antivirus firm Sophos, said in an e-mail. Reston, Va.-based iDefense reiterated that advice and reported more than 38,000 sites had been compromised since this morning. Ken Dunham, the company's director of malicious code, said the worm may be exploiting a recent SQL injection vulnerability for phpBB 2.0.10 reported on Nov. 29. "If that is the case, this worm was rapidly authored and deployed, just a few weeks following the vulnerability announcement," he said in a prepared statement.