PHP virus sparks debate

Could PHP scripting viruses be on the way?

Antivirus company Central Command says that a new strain of viruses written in the popular scripting language PHP could be on the way, although other antivirus experts believe the danger is limited.

Central Command last week found a "proof of concept" virus dubbed PHP.NewWorld, written in the Hypertext Preprocessor (PHP) scripting language -- a popular free server-side scripting language typically used by Web developers to automate the generation of Web pages.

Although NewWorld is not thought to be especially dangerous, Central Command says that it could lead to copycat viruses written in PHP.

In order to activate PHP.NewWorld a user would need to have PHP installed on a Windows machine and have been granted permissions to run PHP scripts. Then NewWorld would be able to infect any writeable files with the extensions .html and .php stored in the directory C:/Windows.

Although NewWorld is therefore limited, Central Command product manager Steve Sundermeier suggests that it could inspire more dangerous types of viruses written in PHP. "It can be modified to have a very destructive payload and marks a new step towards a new virus generation. Because the PHP language is absolutely free, we are anticipating that copycats of this PHP script virus will become prominent and will have much more damaging consequences in the near future." Sundermeier also says it might be possible to use email to point users to a malicious script written in PHP.

However, others say that, while this is an interesting proof of concept, we are unlikely to ever see PHP viruses in the wild.

Eric Chien, chief researcher at Symantec's Antivirus Research Centre (SARC), says that the danger is limited because PHP relies on someone having it installed on his or her computer and scripts are also most likely to be accessible on an internal network.

Graham Cluley, senior technologist at Sophos agrees that PHP viruses such as NewWorld are unlikely to spread very far. He adds that the discovery doesn't indicate a weakness in PHP but rather shows that malicious code can potentially be written in any programming language. "I don't think people should lose any sleep," he says.

Have your say instantly, and see what others have said. Click on the TalkBack button and go to the ZDNet News forum.

Let the editors know what you think in the Mailroom. And read what others have said.