F-Secure is raising the alert level on Palyh (also known as
Mankx/Sobig.B) to level 1. The worm has gone worldwide and number
of reported infections have increased drastically over the last
12 hours.
For more information on the worm see Global Sobig.B Virus
Information Center:
http://www.F-secure.com/sobig/
UPDATE (2003-05-19 2:30 GMT)
Palyh is a massmailer e-mailer worm which also spreads through
Windows network shares.
During late 18th of May / early 19th of May 2003, F-Secure
received several submissions of this virus from USA, UK, Denmark
and New Zealand.
The worm itself is Windows PE EXE file, written in Microsoft
Visual C++, compressed by UPX. The size of the e-mail attachment
varies between around 49000 and 54000 bytes. When uncompressed,
the virus code is about 110kB in size.
The worm activates from infected emailS only if the user clicks
on the infected attachment. After this the worm will install
itself and starts to spread further.
While installing, the worm copies itself to the WINDOWS directory
as "msccn32.exe". Then it registers itself in system registry to
auto-run keys:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
System Tray = %WindowsDir%\msccn32.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
System Tray = %WindowsDir%\msccn32.exe
Because of a bug the worm sometimes copies itself to wrong
directories (such as root or current directory). In these cases
the worm will only stay active until next reboot.
Spreading: email
To send infected messages the worm makes a direct connection to
the default SMTP server. The worm collects e-mail addresses from
.TXT, .EML, .HTML, .HTM, .DBX, .WAB files in all directrories on
all available local drives.
The worm sends several different types of e-mail messages.
However, they all look like they are coming from
"support@microsoft.com".
These are the different versions of the e-mails:
From:
support@microsoft.com
Subject:
Re: My application
Re: Movie
Cool screensaver
Screensaver
Re: My details
Your password
Re: Approved (Ref: 3394-65467)
Approved (Ref: 38446-263)
Your details
Message Body:
All information is in the attached file.
Attached file name:
your_details.pif
ref-394755.pif
approved.pif
password.pif
doc_details.pif
screen_temp.pif
screen_doc.pif
movie28.pif
application.pif
The worm also creates a file called "hnks.ini" in the WINDOWS
directory. This contains all the e-mail addresses that we're
collected by the worm. If you have been infected by this worm,
you might want to warn people on this list.
Spreading via network
The worm enumerates all accessible network resources (other
computers in the network) and, if accesible, attempts to copy
itself to their auto-start directories:
Windows\All Users\Start Menu\Programs\StartUp\
Documents and Settings\All Users\Start Menu\Programs\Startup\
Updating
The worm downloads files from four Websites and executes
them. As a result the worm is able to upgrade itself or install other
applications, such as trojans.
The worm will only spread until 31st of May, 2003. After this, it
won't try to replicate to other machines (but will still try to
download and run further code). The time is based on local system
time, so some machines will continue to send infected e-mail
around even after the end of May.
Detection
F-Secure Anti-Virus detects Palyh worm with the updates
published on May 19th, 2003:
Version=2003-05-19_02
Removal
F-Secure has created a special removal tool to remove the active
Palyh infection and all its traces. The tool is available from
ftp://ftp.f-secure.com/anti-virus/tools/f-sobig.zip
Instructions for the removal are in
ftp://ftp.f-secure.com/anti-virus/tools/f-sobig.txt
[Kaspersky Lab and F-Secure, May 19th - June 2nd, 2003]
