Palyh Worm Spreads
Worm purports to be E-mail from Microsoft to lure victims.
By InformationWeek
May 19, 2003 (02:19)
URL: informationweek.com
Antivirus vendors are warning of a new mass-mailer virus that's spreading around the globe. As of 11 a.m. EDT Monday, MessageLabs said it had intercepted more than 40,000 copies of the Palyh or Mankx worm in 89 countries.
While many viruses and worms use "social engineering" such as pegging the E-mail to current news events, claiming to contain pornographic pictures, or even as posing as antivirus updates, the Palyh worm uses a forged support@microsoft.com E-mail address to attempt to fool users into opening it. The worm also spreads through Windows network shares.
Most antivirus vendors have updated their software to stop this new threat. According to antivirus experts, the worm's payload seems to be only to propagate itself.
"The worm's spread will begin to subside as computer users update their antivirus solutions and the word is spread that any E-mail arriving from an address like 'support@microsoft.com' with an attachment in tow should scream the message like a huge billboard: 'I am a virus.' This is especially important since Microsoft's support policy is to not exchange files via E-mail," says Ian Hameroff, security strategist at Computer Associates.
Antivirus vendor McAfee has Palyh as a medium risk for both home users and businesses. According to McAfee, the worm sends itself to E-mail addresses it finds on the victim's system and uses its own SMTP E-mail engine to distribute itself to those users.
According to McAfee, the subject line could include number of subjects, including "Re: My application" and "Your Password." The body of the message simply states: "All information is in the attached file." The virus has about a dozen file names for that extension, most .pif. However, the file extension may be truncated to only ".pi" because of the way the virus constructs outgoing messages.
"Based on the reports to our eTrust Target labs, the worm has had the greatest impact in the home-computer space since most, if not all, enterprises employ a policy of blocking attachments types like .pif," Hameroff says. "Even so, we all need to be wary of anything that arrives unexpectedly and includes executable attachments." |
