 |
 |
 |
The Palyh Worm
A New Mass Mailing Worm - Palyh Worm
What Is It?There is a new mass mailing e-mail worm spreading on the Internet! The Palyh Worm is masking itself as a message from Microsoft's support organization. This mass mailing e-mail worm is not just limited to single personal computers but also spreads through Windows network shares too! Even the BBC has reported many instances of the Palyh Worm filling its mailboxes... The worm itself is Windows EXE file, written in Microsoft Visual C++, the size of the e-mail attachment varies between around 49Kb and 54Kb's. When uncompressed, the virus code is about 110Kb's in size. Palyh Worm - What Does It Look Like?The worm arrives as an attachment. The image below shows my Outlook 2000 receiving the worm today (19th May 2003).
Fortunately I have outlook blocking access to any "unsafe" attachments... But as you can see in the image the 3 pieces of information we need to identify this as the Palyh Worm are: 1) The Subject is Re: Approved (Ref: 3394-65467) 2) The email is From: support@microsoft.com 3) The attachment is screen_temp.pif 4) The Message Body is: All information is in the attached file. Other Subject titles are: Re: My application Re: Movie Cool screensaver Screensaver Re: My details Your password Re: Approved (Ref: 3394-65467) Approved (Ref: 38446-263) Your details Other Attached file names are: your_details.pif ref-394755.pif approved.pif password.pif doc_details.pif screen_temp.pif screen_doc.pif movie28.pif application.pif The Message Body is always the same! The following images show Outlook Express and my Tiscali Web Mail account displaying the Palyh Worm as an attachment:
Palyh Worm - How Does It Work?The worm activates from infected email ONLY if the user clicks on the infected attachment. After this the worm will install itself and starts to spread further. While installing, the Palyh Worm copies itself to the hard drive as "msccn32.exe". Then the Palyh Worm registers itself in system registry to auto-run keys: (Current User) HKCU\Software\Microsoft\Windows\CurrentVersion\Run (Local Machine) HKLM\Software\Microsoft\Windows\CurrentVersion\Run The Palyh Worm also enumerates network shares and attempts to copy itself to the following folders on the share: Document and Settings\All Users\Start Menu\Programs\Startup This all means that the Palyh Worm runs when the remote system is restarted.
Palyh Worm - How Does It Spread?To send infected messages the worm makes a direct connection to the default SMTP server. The worm collects e-mail addresses from .TXT, .EML, .HTML, .HTM, .DBX, .WAB files in ALL directories on ALL available local drives. The Palyh Worm sends several different types of e-mail messages. However, they all look like they are coming from "support@microsoft.com".
Palyh Worm - How Can I Remove It?You must delete the file msccn32.exe from your hard drive. If the Palyh Worm is already running, this file will be locked. You must stop the Palyh Worm process before you can delete the file. Use the Windows Task Manager to stop the worm: Windows NT/2000/XP
Now you will need to remove the Palyh Worm... The ONLY way I would recommend is to use an AntiVirus package like Sophos to remove ALL traces of the worm on your machine... If you do not have this kind of software on your PC then now might be a good time to get some protection!
Palyh Worm - Other CommentsThere is an increase in the amount of Worms and Viruses that are looking as though they are coming from Microsoft these days. But it is important to remember that Microsoft NEVER sends out programs of updates by email. Microsoft ALWAYS make them available via CD's or their website. This Palyh Worm is also known as: W32/Palyh-A. But also has the following names to:W32/Mankx, W32.HLLW.Mankx@mm, Sobig.B Because of a bug the Palyh Worm sometimes copies itself to wrong directories (such as root or current directory). In these cases the worm will only stay active until next reboot. The author has included a temporary trigger in the Palyh Worm so that its routines are active only until May 31, 2003. The only routine that will run after this date is the "self update" feature. This could install "spy ware" programs on infected systems, or even other nasty software, however by this time the authorities will have shut down this server! (The time is based on local system time, so some machines will continue to send infected e-mail around even after the end of May.)The Palyh Worm also creates a file called "hnks.ini". This contains ALL the e-mail addresses that we're collected by the Palyh Worm. If you have been infected by this worm, you might want to warn people on this list. The Palyh Worm has had the greatest impact in the home-computer space since most, if not all, companies employ a policy of blocking attachments types like .pif. However EVERYONE always needs to be wary of anything that arrives unexpectedly and includes executable attachments. There are times when your PC may be hit by something like the Palyh Worm or something even worse! Are you confident you could restart your PC? If not then pop over to www.bootdisk.com and check out the great resources to make sure you have a trouble free PC. Ed really has done a good job with this website! Thanks for reading! Regards Marc Liron A Talking XP Newsletter...?Sign Up For The FIRST Windows XP Talking Newsletter!
Get regular Windows XP news and tips -
Windows XP Update Articles
|
|
www.updatexp.com - Marc Liron - 2003 |