KAV Alert! Palyph

Virus News. Monday, May 19, 2003
******************************************************************

1. The Palyh Worm Appears As A Communique From Microsoft

Reduced content by Pilli 22/5/03


When installing, the Palyh worm copies itself into the Windows directory under the name MSCCN32.EXE and registers this file in the system registry's auto-run key so that it is placed into system memory and automatically launched upon operating system start-up. Due to certain errors in its code, sometimes Palyh copies itself into a different directory and therefore occasionally the auto-run function is not triggered.

EMAIL: All infected e-mail messages sent out by the worm contain the falsified address support@microsoft.com, though they contain various subject lines, body texts and attached file names. To spread via local area networks Palyh scans other network computers and copies itself to the Windows auto-run folders (if it exists on a given computer).

Palyh's author built into the program a temporary trigger - All worm routines other than the updating feature are active only until May 31, 2003. This particularity effectively dooms Palyh however, as the server from which it downloads its updates will be closed in the near future.

 

Hi Philli - The following is going to put a twist on things. this evening I received an email - details as follows:

Sender: Support@Microsoft
Subject: Re: Approved [Ref3394-65467]
Attach: Ref-394755.pif

Thanks to Jooske's good advice when I was dealing with the Sobig virus, to put her recommeded extensions including "pif" into my email scanner I came out smelling roses. As a result this email was immediately picked up by my AV program and quarantined it immediately. No files were infected - email was never opened nor previewed. Virus was permanently deleted, system had a full scan done and came up clean. However, the virus I received was identified as W32.HLLW.Mankx.mm Interesting!!?? You stated that the Paluh virus/worm arrives as Support@Microsoft but so did this one. So I went to Symantec to check out my version and lo & behold this virus is actually the Sobig Virus/worm as all the references match. What a bummer as it would appear this virus spreads itself as 3 different variants. What are your thoughts on this?

 

Theres only really 1 variant of this one.. or 2 if you count 1 compressed and one uncompressed (UPX)

Nobody realised it was Sobig.B until I guess either..

a) the writer contacted some AV's .. probably Sophos since they were first to call it Sobig.B

b) Sophos looked at the similarities and probably found some identical code, meaning the writer didnt start from scratch, but rather recycled some Sobig.A code into the new worm. Makes sense of course

 

I am just a newbie but now that you mention it ... yep, it would make sense but nontheless, something we should be aware of. HLLW. Mankx could not even be found on Symantec when I first checked the site so I decided simply to type in "support@microsoft" and up came Sobig. During quarantine of the email, a report was also sent to Symantec. It will be interesting to read Sophos response on this one. Tx.