Win32/Palyh.A

Discussion in 'malware problems & news' started by Longthing, May 18, 2003.

Thread Status:
Not open for further replies.
  1. Longthing

    Longthing Registered Member

    Joined:
    Jul 27, 2002
    Posts:
    40
    Win32/Palyh.A is a worm spreading via infected e-mail attachments. The e-mail is sent from a faked sender - support@microsoft.com. Infected e-mail attachment which is 50Kb in size, contains a file with the PIF extension. The body of the worm is packed with a modified UPX packer.

    The text of infected e-mail:

    All information is in the attached file.

    The e-mail's Subject is generated from the following list:

    Re: My application
    Re: Movie
    Cool screensaver
    Screensaver
    Re: My details
    Your password
    Re: Approved (ref: 3394-65467)
    Approved (Ref: 38446-263)
    Your details

    The name of the attachment is selected from the following list:

    application.pif
    movie28.pif
    screen_doc.pif
    screen_temp.pif
    doc_details.pif
    password.pif
    approved.pif
    ref-394755.pif
    your_details.pif

    The addressees of the infected e-mail are selected (by the worm) from the files with these extensions:

    html
    htm
    dbx
    wab

    Actions and changes triggered by the worm:

    The registry value C:\WINDOWS\msccn32.exe is added into the following registry key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run to provide activation of the worm.

    The file hnks.ini is created on the disk by the worm code. Worm uses its own SMTP routine to send the infected e-mails.

    Additional infection vector used by the worm are the shared disks, in particular the following directories:

    Documents and Settings\All Users\Start Menu\Programs\Startup
    Windows\All Users\Start Menu\Programs\Startup


    The worm creates its copies in the aforementioned directories.

    http://www.nod32.com/home/home.htm



    Already got one in my mailbox. At the moment not detected by Norton, Housecall and several other scanners. Nod32 and KAV however did detect it.
     
  2. FanJ

    FanJ Guest

    From Sophos:

    W32/Palyh-A
    Aliases : W32/Mankx

    Type : Win32 worm


    Description
    W32/Palyh-A is a worm which spreads by email. The worm appears to arrive as a .PIF attachment from support@microsoft.com.

    Note that Microsoft never sends out software by email, so the emails generated by this worm are obviously bogus.

    W32/Palyh-A copies itself into your WINDOWS folder and then sets the registry values:

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\System Tray

    HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\System Tray

    so that it runs every time you log on to your computer.


    http://www.sophos.com/virusinfo/analyses/w32palyha.html
     
  3. FanJ

    FanJ Guest

  4. Longthing

    Longthing Registered Member

    Joined:
    Jul 27, 2002
    Posts:
    40
    Symantec knows it by the name W32.HLLW.Mankx@mm.

    http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.mankx@mm.html

    There is now an extra update.
     
Thread Status:
Not open for further replies.