-
May 19th, 2003, 07:42 AM
#1
Member
Palyh is a massmailer e-mailer worm sends fake mails from support@microsoft.com
Palyh is a massmailer e-mailer worm which also spreads through Windows network shares.
During late 18th of May / early 19th of May 2003, F-Secure received several submissions of this virus from USA, UK, Denmark and New Zealand.
The worm itself is Windows PE EXE file, written in Microsoft Visual C++, compressed by UPX. The size of the e-mail attachment varies between around 49000 and 54000 bytes. When uncompressed, the virus code is about 110kB in size.
The worm activates from infected emailS only if the user clicks on the infected attachment. After this the worm will install itself and starts to spread further.
While installing, the worm copies itself to the WINDOWS directory as "msccn32.exe". Then it registers itself in system registry to auto-run keys:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
System Tray = %WindowsDir%\msccn32.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
System Tray = %WindowsDir%\msccn32.exe
Because of a bug the worm sometimes copies itself to wrong directories (such as root or current directory). In these cases the worm will only stay active until next reboot.
http://www.f-secure.com/v-descs/palyh.shtml
That was all folks!
http://www.virusinfo.bz/cgi-bin/ultimatebb.cgi
-
May 19th, 2003, 09:44 AM
#2
Please note also known as mankx@mm see Symantec
W32.HLLW.Mankx@mm is a mass-mailing worm that will send itself to all e-mail addresses it finds in files with the following extensions:
.wab
.dbx
.htm
.html
.eml
.txt
The e-mail message will have the following characteristics:
From:
support@microsoft.com
Subject:
Your details
Approved (Ref: 38446-263)
Re: Approved (Ref: 3394-65467)
Your password
Re: My details
Screensaver
Cool screensaver
Re: Movie
Re: My application
Attachment:
your_details.pif
ref-394755.pif
approved.pif
password.pif
doc_details.pif
screen_temp.pif
screen_doc.pif
movie28.pif
application.pif
The worm will also spread itself to all network resources by copying itself to the following folders on all shared resources:
Windows\All Users\Start Menu\Programs\StartUp
Documents and Settings\All Users\Start Menu\Programs\Startup
NOTE: The worm deactivates on 5/31/2003, therefore, the last date the worm will spread will be 5/30/2003
Symantec Security Response has created a tool to remove W32.HLLW.Mankx@mm. Click here to obtain the tool.
Type: Worm
Infection Length: 52,898 bytes
Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me
see also McAfee
Cheers
"Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr
-
May 19th, 2003, 10:48 AM
#3
Member
Name: Win32.Palyh.A@mm
Aliases: Win32/Palyh.A@mm
Type: Executable Mass Mailer
Size: 52706 (packed)
Discovered: 18.05.2003
Detected: 18.05.2003
Spreading: High
Damage: Medium
In The Wild: Yes
Symptoms:
Presence of following files in Windows folder:
msccn32.exe
hnks.ini
Presence of the process: msccn32.exe
Presence of registry key:
HKEY\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System Tray = "msccn32.exe"
Presence of msccn32.exe in:
Windows\All Users\Start Menu\Programs\StartUp for Windows 9x
Documents and Settings\All Users\Start Menu\Programs\Startup for Windows 2000, XP
Technical description:
This mass mailer spreads itself via email, as an attatched file with one of the following names:
your_details.pif
ref-394755.pif
approved.pif
password.pif
doc_details.pif
screen_temp.pif
screen_doc.pif
movie28.pif
application.pif
The email is fakely sent from support@microsoft.com, has "All information is in the attached file." in body, and the subject is one of the following:
Your details
Approved (Ref: 38446-263)
Re: Approved (Ref: 3394-65467)
Your password
Re: My details
Screensaver
Cool screensaver
Re: Movie
Re: My application
Once executed the malware copyes itself in %windows% (i.e. C:\WINNT) and gives control to that copy. It searches the whole hard disk for email addresses contained in files with the following extensions: wab, dbx, htm, html, eml, txt.
Removal instructions:
manual removal: kill the process msccn32, delete msccn32.exe and hnks.ini from windows directory and from StartUp; after that remove this
key: "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System Tray"
automatic removal: let BitDefender disinfect or use the free removal tool provided by BitDefender!
That was all folks!
http://www.virusinfo.bz/cgi-bin/ultimatebb.cgi
-
May 19th, 2003, 11:20 AM
#4
where did you cut and paste that from?
and could you have added it as a quote to your original message (with link)?
BTW: thinking it was a different virus I started another thread, but while editing the info I realised it was the same virii.. that thread should no longer exist..
cheers..
"Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr
-
May 19th, 2003, 12:06 PM
#5
Member
It is the same thread that put in the morning but I changed the title to emphasize that the worm sends fake mails with the originator address of support@microsoft.com...that is why I changed the topic title....
That was all folks!
http://www.virusinfo.bz/cgi-bin/ultimatebb.cgi
-
May 20th, 2003, 03:54 AM
#6
Symantec have renamed this one to SOBIG.B new link
http://securityresponse.symantec.com...obig.b@mm.html
Cheers
"Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr
-
June 1st, 2003, 02:06 PM
#7
Updated_ Sobig.C
Not to open a new thread..
Latest update of this virus is Sobig.C
My initial info (now 12hrs old) from Symantec
W32.Sobig.C@mm is a mass-mailing worm that sends itself to all the email addresses, purporting to have been sent by Microsoft (bill@microsoft.com). The worm finds the addresses in the files with the following extensions:
.wab
.dbx
.htm
.html
.eml
.txt
Email Routine Details
The email message has the following characteristics:
From: bill@microsoft.com
Subject: The subject line will be one of the following:
Re: Movie
Re: Submited (004756-3463)
Re: 45443-343556
Re: Approved
Approved
Re: Your application
Re: Application
Message Body: Please see the attached file.
Attachment: The attachment name will be one of the following:
screensaver.scr
movie.pif
submited.pif
45443.pif
documents.pif
approved.pif
application.pif
document.pif
NOTE: The worm de-activates on June 8, 2003, and therefore, the last day on which the worm will spread is June 7, 2003.
Also Known As: W32/Sobig.c@MM [McAfee], Win32/Sobig.C [ESET]
Type: Worm
Infection Length: About 59kb
Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me
Systems Not Affected: Windows 3.x, Macintosh, OS/2, UNIX, Linux
Cheers
"Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr
-
June 1st, 2003, 10:50 PM
#8
Just in case you missed its first performance it seems that Sobig/Palyh is increasing it presence in the wild..
Due to an increased rate of submissions, Symantec Security Response has upgraded W32.Sobig.C@mm from a Category 2 to a Category 3 as of June 1, 2003.
check the previously listed links for info ...
cheers
"Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|