Palyh worm arrives as a fake Microsoft support e-mail - TechUpdate

Tech Update

Palyh worm arrives as a fake Microsoft support e-mail
By Robert Vamosi
May 19, 2003

Add your opinion

Forward in

Format for

Palyh is the second new computer worm to spread within the last week, and is much less of a danger than Fizzer. Palyh (w32.palyh@mm), also known as Mankx, is approximately 50K in size, and spreads via e-mail and shared network files. Palyh affects all Windows users, but users of Mac, Linux, and Unix can still pass on an infected e-mail to a Windows user. Since the worm also spreads by shared network files, users do not need to have Outlook installed to become infected. Palyh also contains its own e-mail engine in order to send copies of itself. This worm does not contain a damaging payload. Therefore, the Palyh worm rates only a 4 on the ZDNet Virus Meter.

How it works
Palyh arrives via e-mail or shared network file. The e-mail appears to be from support@microsoft.com with an attached file. Immediately one should be suspicious because Microsoft does not send out unsolicited support announcements via e-mail. The e-mail's subject line may include one of the following:

Your details
Approved (Ref: 38446-263)
Re: Approved (Ref: 3394-65467)
Your password
Screensaver
Re: My details
Cool screensaver
Re: Movie
Re: My application

The e-mail's attachment may have one of the following filenames:

your_details.pif
ref-394755.pif
approved.pif
password.pif
doc_details.pif
screen_temp.pif
screen_doc.pif
movie28.pif
application.pif

The worm will not automatically execute; you must open the attached file to become infected with Palyh. Upon execution, the worm attempts to make the following changes to the system Registry so that the worm will load each time you start up your computer:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\System Tray
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\System Tray

Palyh also spreads via shared network files. It attempts to copy itself to the following directories on remote systems:

Documents and Settings\All Users\Start Menu\Programs\Startup
Windows\All Users\Start Menu\Programs\Startup

Prevention
In general, do not open attached files in e-mail without first saving them to hard disk and scanning them with updated antivirus software. Contact your antivirus vendor to obtain the most current antivirus signature files that include Palyh.

Removal
A few antivirus-software companies have updated their signature files to include this worm. This will stop the infection on contact and in some cases will remove an active infection from your system. For more information, see Central Command, Computer Associates, F-Secure, McAfee, Norman, Panda, Sophos, Symantec, and Trend Micro.

TECH UPDATE TODAY DAILY:
Dan Farber and David Berlind deliver daily insights on the business and technology news that matters to enterprise IT.

	Enterprise Alerts
	Surveys
	Computers: Desktops & Laptops
	IT Management
	Security
	IT Professionals

Manage My Newsletters

Help | Advertisements | Feedback | Reprints | Newsletters

New site: Monitor all the tech news at Technology.Updates.com

CNET.com | CNET Download.com | CNET News.com | CNET Reviews | CNET Shopper.com

About CNET Networks