Win32/Palyh.A is a worm spreading via infected e-mail attachments. The e-mail is sent from a faked sender - firstname.lastname@example.org. Infected e-mail attachment which is 50Kb in size, contains a file with the PIF extension. The body of the worm is packed with a modified UPX packer. The text of infected e-mail: All information is in the attached file. The e-mail's Subject is generated from the following list: Re: My application Re: Movie Cool screensaver Screensaver Re: My details Your password Re: Approved (ref: 3394-65467) Approved (Ref: 38446-263) Your details The name of the attachment is selected from the following list: application.pif movie28.pif screen_doc.pif screen_temp.pif doc_details.pif password.pif approved.pif ref-394755.pif your_details.pif The addressees of the infected e-mail are selected (by the worm) from the files with these extensions: html htm dbx wab Actions and changes triggered by the worm: The registry value C:\WINDOWS\msccn32.exe is added into the following registry key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run to provide activation of the worm. The file hnks.ini is created on the disk by the worm code. Worm uses its own SMTP routine to send the infected e-mails. Additional infection vector used by the worm are the shared disks, in particular the following directories: Documents and Settings\All Users\Start Menu\Programs\Startup Windows\All Users\Start Menu\Programs\Startup The worm creates its copies in the aforementioned directories. http://www.nod32.com/home/home.htm Already got one in my mailbox. At the moment not detected by Norton, Housecall and several other scanners. Nod32 and KAV however did detect it.