New Virus, But Looks What Advice We Get...

[jetje]

18 mei 2003 VirusAlert: W32.Palyh@mm :

Internet Worm Name Risk Assessment
W32/Palyh@MM Corporate User : Medium
Home User : Medium

Internet Worm Information
Discovery Date: 05/18/2003
Origin: Unknown
Length: approx. 50 KBytes
Type: Internet Worm
SubType: E-mail worm
Minimum DAT:
Release Date: 4265
05/18/2003
Minimum Engine: 4.1.60
Description Added: 05/18/2003
Description Modified: 05/19/2003 10:26 AM (PT)

Description Menu
Internet Worm Characteristics
Symptoms
Method Of Infection
Removal Instructions
Variants / Aliases
Rate This page
Print This Page
Email This Page
Legend


Internet Worm Characteristics
-- Update 05/18/03 --
Detection and cleaning for this worm is included in the 4265 DATs, which have been released today.

This worm bears strong similarities to W32/Sobig@MM. It is written in MSVC and is packed with UPX. The worm propagates via email and over network shares. It contains its own SMTP engine for constructing outgoing messages.

Mail Propagation

The worm mails itself to recipients extracted from the victim machine, constructing messages using its own SMTP engine.

Similarly to W32/Sobig@MM, the outgoing messages constructed by the worm may have a closing quote omitted from the attachment filename. This may cause certain mail clients to remove a character from the remaining filename, thus attachments may have a ".PI" extension (as opposed to ".PIF").

Target email addresses are extracted from files on the victim machine with the following extensions:

WAB
DBX
HTM
HTML
EML
TXT
The worm may arrive in an email with the following characteristics:

From: [email protected]

Subject:

Re: My application
Re: Movie
Cool screensaver
Screensavers
Re: My details
Your password
Re: Approved (Ref: 3394-65467)
Approved (Ref: 38446-263)
Your details
Attachment:

Note: As mentioned above, the file extenion may be truncated to .PI instead of the intended .PIF.

approved.pif
ref-394755.pif
password.pif
ref-394755.pif
application.pif
screen_doc.pif
screen_temp.pif
movie28.pif
download1053122425102485703.uue
doc_details.pif
_approved.pif
Message Body:

All information is in the attached file.

Share Propagation

The worm enumerates network shares. It tries to copy itself to the following network locations if the paths are accessible:

\Documents and Settings\All Users\Start Menu\Programs\Startup\
\Windows\All Users\Start Menu\Programs\Startup\

[Wolfmight]

dont ever open attachments unless it came from someone you know that told you what it is before you open it. (i.e. some project u both workin on or something)

[Lamsey]

WeeMouse got one of them! Thankfully she didn't open it and left it for me (she thought it actually was from Microsoft). I saw that the attatchment was a .pif shortcut and thought "hmm... that's a virus", so I deleted it.

Wonder how it got past NAV?

[jetje]

it was 1st detected in the netherlands. The updates are from today... So just update the scanners... B)