WORM_PALYH.A (Damage Potential: High )

Discussion in 'malware problems & news' started by ladyjeweler, May 19, 2003.

Thread Status:
Not open for further replies.
  1. ladyjeweler

    ladyjeweler Registered Member

    Joined:
    Feb 22, 2003
    Posts:
    23
    Location:
    North Carolina
    WORM_PALYH.A

    Overview Technical Details Statistics

    QUICK LINKS Solution

    Virus type: Worm

    Destructive: No

    Aliases: W32.HLLW.Mankx@mm, W32/Palyh@MM

    Pattern file needed: 541

    Scan engine needed: 5.200

    Overall risk rating: Low

    Reported infections: Low

    Damage Potential: High

    Distribution Potential: High

    Description:

    This worm propagates by using its own SMTP engine to mass-mail copies of itself to other users. It sends email with the following details:

    From: support@microsoft.com
    Subject: (any of the following)
    Approved (Ref: 38446-263)
    Cool screensaver
    Re: Approved (Ref: 3394-65467)
    Re: Movie
    Re: My application
    Re: My details
    Screensaver
    Your details
    Your password
    Attachment: (any of the following)
    application.pif
    approved.pif
    doc_details.pif
    movie28.pif
    password.pif
    ref-394755.pif
    screen_doc.pif
    screen_temp.pif
    your_details.pif

    This worm runs on Windows 95, 98, ME, NT, 2000, and XP.

    TrendLabs is working to provide a more in depth analysis of this malware.

    Solution:

    AUTOMATIC REMOVAL INSTRUCTIONS

    To automatically remove this malware from your system, please use the Trend Micro System Cleaner.

    MANUAL REMOVAL INSTRUCTIONSTerminating the Malware Program

    This procedure terminates the running malware process from memory.

    Open Windows Task Manager.
    On Windows 9x[me=ladyjeweler]systems, press[/me]
    CTRL+ALT+DELETE
    On Windows NT/2000/XP systems, press
    CTRL+SHIFT+ESC, and click the Processes tab.
    In the list of running programs*, locate the process:
    msccn32.exe
    Select the malware process, then press either the End Task or the End Process button, depending on the version of Windows on your system.
    To check if the malware process has been terminated, close Task Manager, and then open it again.
    Close Task Manager.
    *NOTE: On systems running Windows 9x/ME, Windows Task Manager may not show certain processes. You may use a third party process viewer to terminate the malware process. Otherwise, continue with the next procedure, noting additional instructions.

    Removing Autostart Entries from the Registry

    Removing autostart entries from the registry prevents the malware from executing during startup.

    Open Registry Editor. To do this, click Start>Run, type REGEDIT, then press Enter.
    In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>
    Windows>CurrentVersion>Run
    In the right panel, locate and delete the entry:
    System Tray = %Windows%\msccn32.exe
    In the left panel, double-click the following:
    HKEY_CURRENT_USER>Software>Microsoft>
    Windows>CurrentVersion>Run
    In the right panel, locate and delete the entry:
    System Tray = %Windows%\msccn32.exe
    Close Registry Editor.
    NOTE: If you were not able to terminate the malware process from memory, as described in the previous procedure, restart your system.
    Additional Windows ME/XP Cleaning Instructions

    Running Trend Micro Antivirus

    Scan your system with Trend Micro antivirus and delete all files detected as WORM_PALYH.A. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro's free online virus scanner.


    http://housecall.trendmicro.com/housecall/.../start_corp.asp
     
  2. Randy_Bell

    Randy_Bell Registered Member

    Joined:
    May 24, 2002
    Posts:
    3,004
    Location:
    Santa Clara, CA
    Renamed to: WORM_SOBIG.B

    WORM_SOBIG.B propagates by using its own SMTP engine to mass-mail copies of itself to other users. It runs on Windows 95, 98, ME, NT, 2000, and XP.

    Upon execution, this worm drops a copy of itself in the Windows folder as msccn32.exe, and creates a registry entry that allows to automatically run at every Windows startup. It searches for recipient addresses in files with the TXT, EML, HTML, HTM, DBX, WAB and sends email with the following details:

    From: support@microsoft.com

    Subject: (any of the following)
    Approved (Ref: 38446-263)
    Cool screensaver
    Re: Approved (Ref: 3394-65467)
    Re: Movie
    Re: My application
    Re: My details
    Screensaver
    Your details
    Your password

    Message Body:
    All information is in the attached file.

    Attachment: (any of the following)
    application.pif
    approved.pif
    doc_details.pif
    movie28.pif
    password.pif
    ref-394755.pif
    screen_doc.pif
    screen_temp.pif
    your_details.pif

    There are instances when the virus attachment arrives with the file extension PI instead of PIF. This could be attributed to a bug in the worm code, such that it generates outgoing emails that the receiving email client is unable to process correctly. In this case, the attachment will not run when double-clicked.

    The worm also spreads a copy of itself to network shared drives by copying itself to the following folders:

    Documents and Settings|All Users|Start Menu|Programs|Startup

    Windows|All Users|Start Menu|Programs|StartUp

    It creates an event object named "Mnkx.X" that serves as a reference to succeeding executions of the worm that already exist in memory. The worm attempts to download data from www.geocities.com Web pages. It checks the current system date and stops its malicious behavior when the date is May 31, 2003 or later.

    If you would like to scan your computer for WORM_SOBIG.B or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at: http://housecall.trendmicro.com

    WORM_SOBIG.B is detected and cleaned by Trend Micro pattern file #541 and above.
     
Loading...
Thread Status:
Not open for further replies.