Results 1 to 8 of 8

Thread: Palyh is a massmailer e-mailer worm

  1. #1

    Palyh is a massmailer e-mailer worm sends fake mails from support@microsoft.com

    Palyh is a massmailer e-mailer worm which also spreads through Windows network shares.

    During late 18th of May / early 19th of May 2003, F-Secure received several submissions of this virus from USA, UK, Denmark and New Zealand.

    The worm itself is Windows PE EXE file, written in Microsoft Visual C++, compressed by UPX. The size of the e-mail attachment varies between around 49000 and 54000 bytes. When uncompressed, the virus code is about 110kB in size.

    The worm activates from infected emailS only if the user clicks on the infected attachment. After this the worm will install itself and starts to spread further.

    While installing, the worm copies itself to the WINDOWS directory as "msccn32.exe". Then it registers itself in system registry to auto-run keys:


    HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    System Tray = %WindowsDir%\msccn32.exe


    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    System Tray = %WindowsDir%\msccn32.exe

    Because of a bug the worm sometimes copies itself to wrong directories (such as root or current directory). In these cases the worm will only stay active until next reboot.

    http://www.f-secure.com/v-descs/palyh.shtml
    That was all folks!
    http://www.virusinfo.bz/cgi-bin/ultimatebb.cgi

  2. #2
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,744
    Please note also known as mankx@mm see Symantec

    W32.HLLW.Mankx@mm is a mass-mailing worm that will send itself to all e-mail addresses it finds in files with the following extensions:

    .wab
    .dbx
    .htm
    .html
    .eml
    .txt
    The e-mail message will have the following characteristics:

    From:
    support@microsoft.com
    Subject:
    Your details
    Approved (Ref: 38446-263)
    Re: Approved (Ref: 3394-65467)
    Your password
    Re: My details
    Screensaver
    Cool screensaver
    Re: Movie
    Re: My application
    Attachment:
    your_details.pif
    ref-394755.pif
    approved.pif
    password.pif
    doc_details.pif
    screen_temp.pif
    screen_doc.pif
    movie28.pif
    application.pif
    The worm will also spread itself to all network resources by copying itself to the following folders on all shared resources:
    Windows\All Users\Start Menu\Programs\StartUp
    Documents and Settings\All Users\Start Menu\Programs\Startup

    NOTE: The worm deactivates on 5/31/2003, therefore, the last date the worm will spread will be 5/30/2003

    Symantec Security Response has created a tool to remove W32.HLLW.Mankx@mm. Click here to obtain the tool.



    Type: Worm
    Infection Length: 52,898 bytes
    Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me

    see also McAfee


    Cheers
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  3. #3
    Name: Win32.Palyh.A@mm
    Aliases: Win32/Palyh.A@mm
    Type: Executable Mass Mailer
    Size: 52706 (packed)
    Discovered: 18.05.2003
    Detected: 18.05.2003
    Spreading: High
    Damage: Medium
    In The Wild: Yes

    Symptoms:


    Presence of following files in Windows folder:
    msccn32.exe
    hnks.ini

    Presence of the process: msccn32.exe

    Presence of registry key:
    HKEY\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System Tray = "msccn32.exe"

    Presence of msccn32.exe in:
    Windows\All Users\Start Menu\Programs\StartUp for Windows 9x
    Documents and Settings\All Users\Start Menu\Programs\Startup for Windows 2000, XP
    Technical description:
    This mass mailer spreads itself via email, as an attatched file with one of the following names:
    your_details.pif
    ref-394755.pif
    approved.pif
    password.pif
    doc_details.pif
    screen_temp.pif
    screen_doc.pif
    movie28.pif
    application.pif

    The email is fakely sent from support@microsoft.com, has "All information is in the attached file." in body, and the subject is one of the following:
    Your details
    Approved (Ref: 38446-263)
    Re: Approved (Ref: 3394-65467)
    Your password
    Re: My details
    Screensaver
    Cool screensaver
    Re: Movie
    Re: My application

    Once executed the malware copyes itself in %windows% (i.e. C:\WINNT) and gives control to that copy. It searches the whole hard disk for email addresses contained in files with the following extensions: wab, dbx, htm, html, eml, txt.

    Removal instructions:
    manual removal: kill the process msccn32, delete msccn32.exe and hnks.ini from windows directory and from StartUp; after that remove this
    key: "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System Tray"
    automatic removal: let BitDefender disinfect or use the free removal tool provided by BitDefender!
    That was all folks!
    http://www.virusinfo.bz/cgi-bin/ultimatebb.cgi

  4. #4
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,744
    where did you cut and paste that from?
    and could you have added it as a quote to your original message (with link)?

    BTW: thinking it was a different virus I started another thread, but while editing the info I realised it was the same virii.. that thread should no longer exist..

    cheers..
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  5. #5
    It is the same thread that put in the morning but I changed the title to emphasize that the worm sends fake mails with the originator address of support@microsoft.com...that is why I changed the topic title....
    That was all folks!
    http://www.virusinfo.bz/cgi-bin/ultimatebb.cgi

  6. #6
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,744
    Symantec have renamed this one to SOBIG.B new link

    http://securityresponse.symantec.com...obig.b@mm.html

    Cheers
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  7. #7
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,744

    Updated_ Sobig.C

    Not to open a new thread..

    Latest update of this virus is Sobig.C

    My initial info (now 12hrs old) from Symantec

    W32.Sobig.C@mm is a mass-mailing worm that sends itself to all the email addresses, purporting to have been sent by Microsoft (bill@microsoft.com). The worm finds the addresses in the files with the following extensions:

    .wab
    .dbx
    .htm
    .html
    .eml
    .txt

    Email Routine Details
    The email message has the following characteristics:

    From: bill@microsoft.com

    Subject: The subject line will be one of the following:
    Re: Movie
    Re: Submited (004756-3463)
    Re: 45443-343556
    Re: Approved
    Approved
    Re: Your application
    Re: Application

    Message Body: Please see the attached file.

    Attachment: The attachment name will be one of the following:
    screensaver.scr
    movie.pif
    submited.pif
    45443.pif
    documents.pif
    approved.pif
    application.pif
    document.pif

    NOTE: The worm de-activates on June 8, 2003, and therefore, the last day on which the worm will spread is June 7, 2003.


    Also Known As: W32/Sobig.c@MM [McAfee], Win32/Sobig.C [ESET]
    Type: Worm
    Infection Length: About 59kb
    Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me
    Systems Not Affected: Windows 3.x, Macintosh, OS/2, UNIX, Linux
    Cheers
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  8. #8
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,744
    Just in case you missed its first performance it seems that Sobig/Palyh is increasing it presence in the wild..

    Due to an increased rate of submissions, Symantec Security Response has upgraded W32.Sobig.C@mm from a Category 2 to a Category 3 as of June 1, 2003.
    check the previously listed links for info ...

    cheers
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •