The Anti-Santy worm works similar; it uses Google to find phpBB forums infected by the original Santy worm, infects the sites and then attempts to make the sites more secure by installing a patch.
The anti-virus company says that this type of worms may be regarded as positive but that they still have drawbacks. They cause a lot of additional traffic on the internet for instance.
"I can't comment how effective it is in fixing the sites," said Hyppönen. "If a site is infected, the worm causes a huge amount of traffic and slows down the site. I don't think it's possible to write a beneficial worm."It is said that Santy has attacked more than 40,000 vulnerable phpBB forums.
Sites that have been attacked by the anti-Santy worm are defaced with the words: "viewtopic.php secured by Anti-Santy-Worm V4. Your site is a bit safer, but upgrade to >= 2.0.11."
Hyppönen said he has seen two versions of the defacement page, which lead to two different IP addresses. Both IP addresses resolve to Argentina, which suggest that that is where the anti-Santy worm originated.
Forums vulnerable for this worm are unpatched versionf of phpBB 2.0.10 and lower. A solution for this exploit can be found on this phpBB site and an updated version of phpBB has already been available for a few weeks.
More info at Cnet