Security Guide for Windows - Palyh Email Worm Spreading

Guides
Products
- Security Products
- Spyware Doctor
- Spyware Doctor with AntiVirus
- PC Tools AntiVirus
- PC Tools Internet Security
- PC Tools Firewall Plus
- ThreatFire
- Spam Monitor
- Utility Products
- Registry Mechanic
- Desktop Maestro
- File Recover
- Privacy Guardian
- PC Tools Disk Suite
- Business Solutions
- Spyware Doctor Enterprise
- Help me choose
Download
- Security Products
- Spyware Doctor
- Spyware Doctor with AntiVirus
- PC Tools AntiVirus
- PC Tools Internet Security
- PC Tools Firewall Plus
- ThreatFire
- Spam Monitor
- Utility Products
- Registry Mechanic
- Desktop Maestro
- File Recover
- Privacy Guardian
- PC Tools Disk Suite
- Business Solutions
- Spyware Doctor Enterprise
- Help me choose
Purchase
- Security Products
- Spyware Doctor
- Spyware Doctor with AntiVirus
- PC Tools AntiVirus
- PC Tools Internet Security
- ThreatFire
- Spam Monitor
- Utility Products
- Registry Mechanic
- Desktop Maestro
- File Recover
- Privacy Guardian
- PC Tools Disk Suite
- Business Solutions
- Spyware Doctor Enterprise
- Help me choose
Support
- Online Support
- Lost Code
Company
- Awards
- Careers
- Community Forum
- Contact
- Labs
- News
- Partners
- Press Room
- Industry News


	Features Registry Guide Software Guide Scripting Guide Driver Guide Support Forums Newsletters Password Tool Downloads Dictionary Spyware Doctor PC Tools AntiVirus Firewall Plus


	Newsletter Receive regular Windows® updates Your privacy is ensured by our privacy policy

Security Home > Internet Services

Palyh Email Worm Spreading New

A new email worm, named Palyh, has starting spreading across the Internet. The e-mail claims to come from support@microsoft.com but instead contains a virus attachment that sends itself to addresses found in files with any of the following extensions: wab, dbx, htm, html, eml and txt.

Issue

The worm spreads via e-mail using its own SMTP engine, and through shared drives.

It arrives in a message with one of the following subjects:

Re: My application
Re: Movie
Cool screensaver
Screensaver
Re: My details
Your password
Re: Approved (Ref: 3394-65467)
Approved (Ref: 38446-263)
Your details

The attachment name may be one of the following:

application.pif
movie28.pif
screen_doc.pif
screen_temp.pif
doc_details.pif
password.pif
approved.pif
your_details.pif

The only message body observed at this time contains simply:
All information is in the attached file.
The worm also spoofs the 'From' address. E-mail sent by the worm appears to be from the following address: support@microsoft.com

When run, the worm copies itself to the following file name:
%windows%\msccn32.exe
It also creates the following registry values so this copy is run when Windows starts:
System Tray="%windows%\msccn32.exe"

In the keys:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] and
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

Note: These registry values are only set if the keys already exist.

The worm appears to search files with the following extensions for e-mail addresses to send to:

txt
eml
html
htm
dbx
wab

It also attempts to spread to remote Windows shares by copying itself to one of the following locations:

Documents and Settings\All Users\Start Menu\Programs\Startup
Windows\All Users\Start Menu\Programs\StartUp

The worm tries to download files from accounts on a free hosting site.

Note: The worm is designed to stop spreading as of 31st May 2003.

Affected Products

All Windows versions

Solution

Do not open any e-mails from support@microsoft.com as Microsoft never sends file updates via e-mail.

Updated: May 19, 2003

>> Recommended Download - secure your PC from spyware, adware and malware now with Spyware Doctor <<

Search Guides

Issue

Affected Products

Solution