FW: Virus Alert: W32/Palyh@MM

[Guest guest]

Shankaram Siva Shankaram !!

Virus Alert: W32/Palyh@MMImportance: High

Hi All,

 

This is to alert you all that there is a virus spreading in our network/Internet. Please delete all the mails you receive with the following details immediately without opening any attachments in that and report to your network division for further corrective measures. (McAfee DAT file version 4265 takes care of this worm. )

 

 

 

support

Subject (any one of the following):

 

Re: My application Re: Movie Cool screensaver Screensavers Re: My details Your password Re: Approved (Red. 3394-65467) Approved (Ref. 38446-263) Your details

Body: All information is in the attached file.

Attachment (any one of the following):

 

your_details.pif ref-394755.pif approved.pif password.pif doc_details.pif screen_temp.pif screen_doc.pif movie28.pif application.pif

 

 

Technical Details about the Worm:

 

 

 

 

 

 

 

 

Worm: W32/Palyh@MM

 

MALICIOUS CODE ALERT

 

 

 

 

 

Threat Type:

Malicious Code: Worm

 

 

 

 

 

 

 

Alert ID:

5945

 

 

 

 

 

 

Urgency:

Possible Use

 

 

 

Credibility:

Confirmed

 

 

 

Severity:

Harassment

 

 

 

Universal :

 

 

Version:

1

 

First Published:

May 19, 2003; 07:42 AM EDT

 

Last Published:

May 19, 2003; 07:42 AM EDT

 

Status:

NEW

 

CVE:

Not Available

 

 

 

 

 

 

 

Version Summary:

 

W32/Palyh@MM is a mass-mailing worm that also spreads over network shares. The worm arrives as a .pif attachment from a spoofed source. Virus definitions are available.

 

 

 

 

 

Variants:

 

Variants are unavailable.

 

 

 

 

 

 

 

Virus Name:

 

W32/Palyh@MM (Aliases include I-Worm.Palyh (AVP), Win32.Palyh.A (Computer Associates), Palyh and Mankx (F-Secure), I-Worm.Win32.Palyh (Hauri), W32/Palyh@MM (McAfee), Win32Palyh.A@MM (RAV), Win32Paly-A and Win32-Mankx (Sophos), W32.HLLW.Mankx@mm (Symantec) and WORM_PALYH.A (Trend Micro).)

 

 

 

 

 

 

Description

 

 

 

 

 

 

 

 

W32/Palyh@MM is a mass-mailing worm that arrives in a .pif attachment from the spoofed address support. Once executed, the virus sends itself using its own SMTP mailer to all the e-mail addresses it finds in files with these extensions:

 

..wab .dbx .htm .html .eml .txt

The worm modifies the system registry to ensure it is executed each time Windows is started. The worm also creates the file hnks.ini in the C:\%Windows% directory and adds the e-mail addresses that were found on the infected machine. The worm deactivates on May 31, 2003.

Virus definitions are available.

 

 

Impact

 

 

 

 

 

 

 

 

W32Palyh@MM may slow network traffic and flood e-mail servers with its propagation techniques.

 

 

Warning Indicators

 

 

 

 

 

 

 

 

W32Palyh@MM may arrive in an e-mail using the following format:

 

support

Subject (any one of the following):

 

Re: My application Re: Movie Cool screensaver Screensavers Re: My details Your password Re: Approved (Red. 3394-65467) Approved (Ref. 38446-263) Your details

Body: All information is in the attached file.

Attachment (any one of the following):

 

your_details.pif ref-394755.pif approved.pif password.pif doc_details.pif screen_temp.pif screen_doc.pif movie28.pif application.pif

In some instances, a malformed MIME header may change the file extension of the file name to .pi or .uue. The worm also creates hnks.ini in the \%Windows% directory, which contains a list of all e-mail addresses the worm sent a copy of itself to.

 

 

Technical Information

 

 

 

 

 

 

 

 

W32/Palyh@MM was compiled with Microsoft VisualC and packed with a modified version of UPX. All the replication-related strings are encrypted with an algorithm to avoid simple scanning.

When executed, W32/Palyh@MM copies itself as msccn32.exe into the \Windows folder. The worm creates the event Mnkx.X. This event, when not set, causes the worm to wait before spawning replication threads if the system is already infected. The Windows sockets library is started and four different threads are created. The first thread simply exits. The second thread attempts to download from one of these URLs:

 

http://www.geocities.com/fjgoplsnjs/jane.txt http://www.geocities.com/lfhcpsnfs/mdero.txt http://www.geocities.com/dnggobhytc/nbvhf.txt http://www.geocities.com/bntdfkghvq/nbdcf.txt

Depending on the contents of the downloaded data, it attempts to further download another link to an .exe file that is directed from the downloaded data and runs.

The fourth thread attempts to spread the virus using network shares. If the current date is before May 31, 2003, the worm enumerates all the network shared folders and, if write access is allowed, it copies itself into the following remote directories every 30 minutes:

 

\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows\All Users\Start Menu\Programs\StartUp

W32/Palyh@MM adds value System Tray = \%WindowsDir%\msccn32.exe to the following registry keys to ensure it executes each time Windows is started:

 

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

 

 

 

 

TruSecure Comments

 

 

 

 

 

 

It is recommended that security policies and procedures require users to report infections to security administrators. Additionally, users should not be authorized to make changes to any antivirus settings or software, or be allowed to attempt to remove the worm. Removing a worm from an infected system requires carefully following the recommended procedures, which may be unique for that worm.

 

Safeguards

 

 

 

 

 

 

Update current virus definitions and antivirus software to detect and eliminate this worm

File system monitoring checks should be performed regularly to detect any unusual activity that may indicate the presence of a worm on the system.

Firewall filtering of hazardous e-mail attachment files such as *.pif, *.pi and *.uue can prevent the distribution of this worm before it reaches systems and users.

 

Patches/Software

 

 

 

 

 

 

The AVP Virus Description for I-Worm.Palyh is available at the following link: Virus Description

The Computer Associates Virus Threat for Win32.Palyh.A, as well as signature and engine information are available at the following link: Computer Associates

The F-Secure Virus Description for Palyh is available at the following link: Virus Description. Definition updates have been available since May 19, 2003, at the following link: F-Secure

The Hauri Virus Description for I-Worm.Win32.Palyh is available at the following link: Virus Description. ViRobot definitions have been available since May 19, 2003, at the following link: Hauri

The McAfee Virus Description for W32/Palyh@MM is available at the following link: Virus Description. DAT file 4265 is available at the following link: McAfee

The Panda Software Virus Description for Palyh is available at the following link: Virus Description. Virus signature files have been available since May 18, 2003, at the following link: Panda Software

The RAV Virus Description for Win32/Palyh.A@mm is available at the following link: Virus Description. Protection has been included in daily updates since May 18, 2003. The latest updates are available at the following link: RAV

The Sohos Virus Analysis for W32/Palyh-A is available at the following link: Virus Analysis. Identity files have been available since May 19, 2003, at the folowing link: Sophos

The Symantec Security Response for W32.HLLW.Mankx@mm is available at the following link: Security Response. Protection has been included in virus definitions for Intelligent Updater and LiveUpdate since May 18, 2003. The latest virus definitions are available at the following link: Symantec

The Trend Micro Virus Advisory for WORM_PALYH.A is available at the following link: Virus Advisory. Pattern file 541 and higher is available at the following link: Trend Micro

 

Alert History

 

 

 

 

 

 

This is a TruSecure Malicious Code Alert.

 

Product Sets

 

 

 

 

 

The security vulnerability applies to the following combinations of products.

 

 

 

Primary Products:

 

 

TruSecure

Malicious Code Alert

Original ReleaseAssociated Products:

 

 

Microsoft, Inc.

Windows 2000

Advanced Server (Base, rev.2031, rev.2072, rev.2195, SP1, SP2, SP3), Professional (Base, SP1, SP2, SP3), Server (Base, SP1, SP2, SP3)

 

Microsoft, Inc.

Windows 95

Original Release, a, b, c, OSR2

 

Microsoft, Inc.

Windows 98

Original Release (Base, SP1), First Edition

 

Microsoft, Inc.

Windows Me

Original Release

 

Microsoft, Inc.

Windows NT

3.5, 3.51 (Base, SP1, SP2, SP3, SP4, SP5), 4.0 (Base, SP1, SP2, SP3, SP4, SP5, SP6a)

 

Microsoft, Inc.

Windows XP

Home Edition (Base, SP1), Professional Edition (Base, SP1)

 

 

 

 

 

 

 

Copyright © 2003 by TruSecure http://www.trusecure.comLegal DisclaimerThe urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their circumstances. The information within this alert may change without notice. Use of information in this alert is governed by the terms of the Subscriber Agreement signed by the user and is subject to the limited warranty and limitations of liability contained therein.

 

 

**************************************************************************** This communication contains information, which is confidential and may also be privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s), please note that any distribution, printing, copying or use of this communication or the information in it is strictly prohibited. If you have received this communication in error, please notify the sender immediately and then destroy any copies of it. ****************************************************************************