KAV Alert! Palyph

Discussion in 'malware problems & news' started by Pilli, May 19, 2003.

Thread Status:
Not open for further replies.
  1. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Virus News. Monday, May 19, 2003
    ******************************************************************

    1. The Palyh Worm Appears As A Communique From Microsoft

    Reduced content by Pilli 22/5/03


    When installing, the Palyh worm copies itself into the Windows directory under the name MSCCN32.EXE and registers this file in the system registry's auto-run key so that it is placed into system memory and automatically launched upon operating system start-up. Due to certain errors in its code, sometimes Palyh copies itself into a different directory and therefore occasionally the auto-run function is not triggered.

    EMAIL: All infected e-mail messages sent out by the worm contain the falsified address support@microsoft.com, though they contain various subject lines, body texts and attached file names. To spread via local area networks Palyh scans other network computers and copies itself to the Windows auto-run folders (if it exists on a given computer).

    Palyh's author built into the program a temporary trigger - All worm routines other than the updating feature are active only until May 31, 2003. This particularity effectively dooms Palyh however, as the server from which it downloads its updates will be closed in the near future.
     
  2. Peaches4U

    Peaches4U Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    5,070
    Location:
    At my computer
    Hi Philli - The following is going to put a twist on things. this evening I received an email - details as follows:

    Sender: Support@Microsoft
    Subject: Re: Approved [Ref3394-65467]
    Attach: Ref-394755.pif

    Thanks to Jooske's good advice when I was dealing with the Sobig virus, to put her recommeded extensions including "pif" into my email scanner I came out smelling roses. :D As a result this email was immediately picked up by my AV program and quarantined it immediately. No files were infected - email was never opened nor previewed. Virus was permanently deleted, system had a full scan done and came up clean. However, the virus I received was identified as W32.HLLW.Mankx.mm Interesting!!?? You stated that the Paluh virus/worm arrives as Support@Microsoft but so did this one. So I went to Symantec to check out my version and lo & behold this virus is actually the Sobig Virus/worm as all the references match. What a bummer as it would appear this virus spreads itself as 3 different variants. :mad: What are your thoughts on this?
     
  3. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Theres only really 1 variant of this one.. or 2 if you count 1 compressed and one uncompressed (UPX)

    Nobody realised it was Sobig.B until I guess either..

    a) the writer contacted some AV's .. probably Sophos since they were first to call it Sobig.B

    b) Sophos looked at the similarities and probably found some identical code, meaning the writer didnt start from scratch, but rather recycled some Sobig.A code into the new worm. Makes sense of course :rolleyes:
     
  4. Peaches4U

    Peaches4U Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    5,070
    Location:
    At my computer
    I am just a newbie but now that you mention it ... yep, it would make sense but nontheless, something we should be aware of. HLLW. Mankx could not even be found on Symantec when I first checked the site so I decided simply to type in "support@microsoft" and up came Sobig. During quarantine of the email, a report was also sent to Symantec. It will be interesting to read Sophos response on this one. Tx.
     
Thread Status:
Not open for further replies.