Sophos, a global leader in anti-virus protection for businesses, has warned that a new e-mail-aware worm is spreading, disguised as an e-mail appearing to come from Microsoft`s technical support department. Sophos has already received several reports of the worm spreading in the wild.
The worm, known as Palyh (W32/Palyh-A), pretends to come from support@microsoft.com and contains the message text "All information is in the attached file".
The attached file is a Windows program with a "PIF" extension. If users open the attachment, they will infect themselves immediately. W32/Palyh-A copies itself to the Windows folder, scoops up e-mail addresses it finds on the user`s hard disk, and then starts sending itself out by e-mail.
"Many users who are wary of EXE and VBS files which arrive in their e-mail may not realise that PIF files are equally capable of being malicious," said Brett Myroff, CEO of local Sophos distributor, NetXactics. "Microsoft technical support does not send out files in this way, and users should think twice before they click."
Sophos recommends companies consider blocking all Windows programs at their e-mail gateway. It is rarely necessary to allow users to receive programs via e-mail from the outside world. There is so little to lose, and so much to gain, simply by blocking all e-mailed programs, regardless of whether they contain viruses or not.
"Best practice for business should include automatic blocking of all executable code at the e-mail gateway," continued Myroff. "At the very least, all PIF files should be blocked. There should never be any need to distribute genuine PIF files - which are really just a type of shortcut - via e-mail."
For more details of W32/Palyh-A, and instructions on how to protect against and remove it, visit: http://www.sophos.com/virusinfo/analyses/w32palyha.html
Sophos describes e-mail gateway best practice for its MailMonitor product range at: http://www.sophos.com/virusinfo/whitepapers/threat.html
Share
