The Palyh Worm Appears As A Communique From Microsoft
19 May 2003
Kaspersky Lab, an international data security software developer, reports the detection of a new network worm named "Palyh", which is spreading via email and local area networks while masquerading as a communiqu� from Microsoft's technical support. Presently, infections at the hands of Palyh have already been confirmed in several countries.
Palyh gains access to targeted computers as an attached file or writes itself to systems via local area networks. The worm becomes active when an unsuspecting user opens the attached file carrying the infected code; once this is done Palyh infects the computer and starts its spreading routine.
When installing, the Palyh worm copies itself into the Windows directory under the name MSCCN32.EXE and registers this file in the system registry's auto-run key so that it is placed into system memory and automatically launched upon operating system start-up. Due to certain errors in its code, sometimes Palyh copies itself into a different directory and therefore occasionally the auto-run function is not triggered.
Next, the work begins its spreading routine. To do so via e-mail, Palyh scans for files with the extensions TXT, EML, HTML, HTM, DBX, WAB, and selects lines from them that it believes to be e-mail addresses. Then Palyh circumvents the installed e-mail program to use the SMTP server to send out copies of itself to the found e-mail addresses.
All infected e-mail messages sent out by the worm contain the falsified address firstname.lastname@example.org, though they contain various subject lines, body texts and attached file names. All infected file attachments use the file extensions .PI or .PIF (for example - PASSWORD.PIF), although the files are actually ordinary EXE files. Palyh takes advantage of the false impression users have that PIF files are not dangerous as well as a weakness in Windows. It is well known to virus creators that the Windows operating system does not process files according to their extensions, but rather by their internal formats.
To spread via local area networks Palyh scans other network computers and copies itself to the Windows auto-run folders (if it exists on a given computer).
In general it is not possible to refer to Palyh as dangerous. However it has an array of features that pose a potential danger to those using infected computers. The worm is has the ability to load additional components from a remote web-server. By doing so, Palyh can clandestinely install new versions of itself or impregnate infected systems with spyware programs.
Palyh's author built into the program a temporary trigger - All worm routines other than the updating feature are active only until May 31, 2003. This particularity effectively dooms Palyh however, as the server from which it downloads its updates will be closed in the near future.
The defense against this malicious program has already been added to the Kaspersky Anti-Virus database.
More details about the Palyh network worm can be found in the Kaspersky Virus Encyclopedia