Threat Level: green Handler on Duty: Bojan Zdrnja

SANS ISC: New Virus Masquerades as Microsoft Support (Palyh) - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
New Virus Masquerades as Microsoft Support (Palyh)
We have received a copy of yet another worm / virus that masquerades itself as an e-mail from support@microsoft.com. The virus propagates via network shares and uses several web sites to download updates.
Aliases: W32/Palyh@MM (McAfee), W32.HLLM.Ccn (Dialogue Sci), W32.HLLW.Mankx@mm (Symantec), W32/Palyh-A (Sophos)
Virus Characteristics:
From:

support@microsoft.com
Subject:

Re: My application

Re: Movie

Cool screensaver

Screensavers

Re: My details

Your password

Your details

Approved (Ref: 38446-263)

Re: Approved (Ref: 3394-65467)
Body:
All information is in the attached file.


Attachment:


Typically the attachment has a .pif extension, but this could be truncated to a .pi extension. Some possible attachment names include:
approved.pif

_approved.pif

password.pif

application.pif

screen_doc.pif

screen_temp.pif

movie28.pif

doc_details.pif

ref-394755.pif
Other Details:
Palyh will send itself to all e-mail addresses it finds in files with the following extensions:
.wab

.dbx

.htm

.html

.eml

.txt
The worm also creates a file called "hnks.ini" in the WINDOWS directory. This contains all the e-mail addresses that were collected by the worm.
The following Windows Registry items have been modified:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

System Tray = %WindowsDir%\msccn32.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

System Tray = %WindowsDir%\msccn32.exe
References:

http://www.symantec.com/avcenter/venc/data/w32.hllw.mankx@mm.html

http://www.f-secure.com/v-descs/palyh.shtml

http://www.sophos.com/virusinfo/analyses/w32palyha.html

http://vil.mcafee.com/dispVirus.asp?virus_k=100307

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_PALYH.A
http://www.viruslist.com/eng/viruslist.html?id=60521

http://www.microsoft.com/technet/security/virus/alerts/palyh.asp

Other News:

http://news.bbc.co.uk/1/hi/technology/3040247.stm



------------------------------------------------

Contact: isc@sans.org
Handlers

76 Posts

Sign Up for Free or Log In to start participating in the conversation!