AVERT (Anti-Virus Emergency Response Team), the anti-virus research division of Network Associates, has assigned a medium-on-watch risk assessment to the recently discovered W32/Palyh@MM.
Says Christopher Bray, Network Associates regional director of sub-Saharan Africa: "Palyh bear strong similarities to W32/Sobig@MM and is written in MSVC, packed with UPX. The worm propagates via e-mail and over network shares containing its own SMTP engine for constructing outgoing messages. The file size is approximately 50Kb."
This latest threat was discovered on 18 May.
The worm mails itself to recipients extracted from the victim machine, constructing messages using its own SMTP engine.
Similarly to W32/Sobig@MM, the worm may mail itself with a ".PI" extension (as opposed to ".PIF").
Target e-mail addresses are extracted from files on the victim machine with the following extensions: WAB, DBX, HTM, HTML, EML and TXT.
Bray continues: "It is important to be able to identify the virus and ensure that the latest update of software is installed The file extension may be truncated to .PI instead of the intended .PIF."
The worm may arrive in an e-mail with the following characteristics:
From: support@microsoft.com
Subject:
Re: My application
Re: Movie
Cool screensaver
Screensavers
Re: My details
Your password
Re: Approved (Red. 3394-65467)
Approved (Ref. 38446-263)
Your details
Attachment:
approved.pif
ref-394755.pif
password.pif
ref-394755.pif
application.pif
screen_doc.pif
screen_temp.pif
movie28.pif
download1053122425102485703.uue
doc_details.pif
_approved.pif
Message Body:
All information is in the attached file.
Share propagation
The worm enumerates network shares. It tries to copy itself to the following network locations if the paths are accessible:
Documents and SettingsAll UsersStart MenuProgramsStartup WindowsAll UsersStart MenuProgramsStartup Installation
Upon execution, the worm drops the following files into the %windir% directory:
"msccn32.exe" (approx 50kB) (a copy of itself)
"hnks.ini" (configuration file)
"mdbrr.ini" (configuration file)
The following registry keys are added to hook system startup:
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun "System Tray" = %WinDir%msccn32.exe
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun "System Tray" = %WinDir%msccn32.exe Ends
Bray concludes: "A cure will be available on Network Associates` Web site today which will be included in the 4265 DATs, which are currently being tested."
AVERT Labs is one of the top-ranked anti-virus research organisations in the world, employing more than 90 researchers in offices on five continents. AVERT protects customers by providing cures that are developed through the combined efforts of AVERT researchers and AVERT AutoImmune technology, which applies advanced heuristics, generic detection, and ActiveDAT technology to generate cures for previously undiscovered viruses.
Editorial contacts

