Anti-virus company Sophos has warned that a new e-mail-aware worm is spreading disguised as an e-mail from Microsoft`s technical support department. Sophos has already received several reports of the worm spreading in the wild, and the e-mail has been reported in SA.
The worm, known as Palyh (W32/Palyh-A), appears to come from support@microsoft.com and contains the message text "All information is in the attached file".
Sophos says the attached file is a Windows program with a "PIF" extension. Users will infect themselves immediately if they open the attachment. W32/Palyh-A copies itself to the Windows folder, scoops up e-mail addresses it finds on the user`s hard disk, and then starts sending itself out by e-mail.
"Many users who are wary of EXE and VBS files which arrive in their e-mail may not realise that PIF files are equally capable of being malicious," says Brett Myroff, CEO of local Sophos distributor, NetXactics.
"Microsoft technical support does not send out files in this way, and users should think twice before they click."
Sophos recommends that companies consider blocking all Windows programs at their e-mail gateway. "It is rarely necessary to allow users to receive programs via e-mail from the outside world. There is so little to lose, and so much to gain, simply by blocking all e-mailed programs, regardless of whether they contain viruses or not," says Myroff.
"Best practice for business should include automatic blocking of all executable code at the e-mail gateway. At the very least, all PIF files should be blocked. There should never be any need to distribute genuine PIF files - which are really just a type of shortcut - via e-mail."
Share
