This from symantec:
http://service1.symantec.com/sarc/sarc.nsf/html/PHP.Sysbat.html
I would take this seriously as it is provides the basis for other virii.

theo

<rant>
This virus must be created by a complete moron:

A quote form the mentioned page:

"PHP.Sysbat modifies the Autoexec.bat file so that the next time the computer is restarted, the command to format the hard drive is executed. The Trojan will also
append text to C:\Config.sys and to other files with the .sys extension that are located in the C:\Windows\Command folder. Finally, the Trojan tries to delete C:\Windows\System\Wsock32.dll."

Why the F does it try to append text and delete files, when it has already set then computer up to explode at the next restart, erasing the files it just appended text to?

Also, it doesn't spread itself around, so the only way to get it is to run a script from someone who has deliberately put this code in.

Would a "bad" person really go through the trouble of getting this cove and putting it in when he could do something as simple as an exec() with a rot13 encoded format command?
</rant>

well. if it only calls 'format' ... shouldnt be a prob cos format asks you if you really
wanna format your hd. so if your will is
strong enough: say NO. afterwards modify
the autoexec.bat.

i dont believe in php-viruses

finger

I don't either, but there are guaranteed to be people out there who will fall pray to this one no matter how banal it is.

yes. but you cant access the clients hd
via php, can you?

finger

you can if you have php installed on your machine

really? if the user browses on a machine,
that has php installed, to a php-page, this
page has full access to the clients hd? that
would be such a security-leak that. well that
php would be a joke ... so i cant believe
that at all.

finger

No that's not what I meant. The virus/trojan will not work through the client browser. You'ld have to run it on your machine and in this context is in same category as Jscript on an windows machine. As an attachment to a mail or some such thing it won't do anything unles you have php installed as a cgi, and to be honest, I don't know if this is possible on windows.

Theo

If you want to execute a php script on a local machine the victim's machine must:

a) have php installed
b) have a web server installed and running
c) have php.exe in the default location or
d) be administered by a boob.

The only way you can access the autoexec.bat for read or write is by executing the script on the local server, or by sending the script directly to the php.exe.

So, if you have a server running on your machine, and you have php installed, and you don't know you shouldn't run code that has the words "autoexec.bat" or "format c:" in it, then I really can't feel sorry for you.

EVERY scripting language CAN be put to malicious use on a Windows box due to Microlimp's total disregard for security issues; some are just more difficult to pull off than others. With PHP this is extremely difficult to pull off because of all the prerequisites and it's inherent security measures, so I for one won't be holding my breath for a php related virus.

Everybody seems to be getting on the defensive about this stupid virus/trojan warning. As if php is the holy grail or something. So to end this trip:
1.The way this virus/trojan is implemented, it makes no difference really what server side scripting language you are using, be it perl, php,asp or whatever. This one assumes you downloaded a script from somewhere and executed it without looking at it first. Comments saying a user is a dumb @!#$ to do this in the first place is misplaced as this can happen to anyone when they're tired,overworked, not wary for a second or so. In my experience, people who think they're too clever to be caught by simple tricks like this, get caught by them just as often as those who don't.
2.It makes little difference on what system you're operating. This script will attempt to overwrite your autoexec.bat and some other stuff and the placed format command will format your drive nicely if you're not careful. On windowsNT, this shouldn't work, if you're not logged in as an administrator and have reduced rights. On most systems you can implement better or worse security and since most scripting languages support exec() like functions, you should guard aginst them, no matter in which environment you are. Not watching for escape sequences where you pass user input to a function like exec() is a sure way to invite someone to try to hack your system.

ok?

Ah, couldn't you stop it by disabling system commands in your php.ini file?

And, maybe a feature to add to 4.0.5/4.0.6 would be to disallow access to .sys and .bat files :-)