18 mei 2003 VirusAlert: W32.Palyh@mm :
Internet Worm Name Risk Assessment
W32/Palyh@MM Corporate User : Medium
Home User : Medium
Internet Worm Information
Discovery Date: 05/18/2003
Origin: Unknown
Length: approx. 50 KBytes
Type: Internet Worm
SubType: E-mail worm
Minimum DAT:
Release Date: 4265
05/18/2003
Minimum Engine: 4.1.60
Description Added: 05/18/2003
Description Modified: 05/19/2003 10:26 AM (PT)
Description Menu
Internet Worm Characteristics
Symptoms
Method Of Infection
Removal Instructions
Variants / Aliases
Rate This page
Print This Page
Email This Page
Legend
Internet Worm Characteristics
-- Update 05/18/03 --
Detection and cleaning for this worm is included in the 4265 DATs, which have been released today.
This worm bears strong similarities to W32/Sobig@MM. It is written in MSVC and is packed with UPX. The worm propagates via email and over network shares. It contains its own SMTP engine for constructing outgoing messages.
Mail Propagation
The worm mails itself to recipients extracted from the victim machine, constructing messages using its own SMTP engine.
Similarly to W32/Sobig@MM, the outgoing messages constructed by the worm may have a closing quote omitted from the attachment filename. This may cause certain mail clients to remove a character from the remaining filename, thus attachments may have a ".PI" extension (as opposed to ".PIF").
Target email addresses are extracted from files on the victim machine with the following extensions:
WAB
DBX
HTM
HTML
EML
TXT
The worm may arrive in an email with the following characteristics:
From: [email protected]
Subject:
Re: My application
Re: Movie
Cool screensaver
Screensavers
Re: My details
Your password
Re: Approved (Ref: 3394-65467)
Approved (Ref: 38446-263)
Your details
Attachment:
Note: As mentioned above, the file extenion may be truncated to .PI instead of the intended .PIF.
approved.pif
ref-394755.pif
password.pif
ref-394755.pif
application.pif
screen_doc.pif
screen_temp.pif
movie28.pif
download1053122425102485703.uue
doc_details.pif
_approved.pif
Message Body:
All information is in the attached file.
Share Propagation
The worm enumerates network shares. It tries to copy itself to the following network locations if the paths are accessible:
\Documents and Settings\All Users\Start Menu\Programs\Startup\
\Windows\All Users\Start Menu\Programs\Startup\
Bookmarks