Eng
  1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar


Palyh


Aliases:


Palyh
Mankx, Sobig.B

Malware

W32

Summary


UPDATE (2003-06-02 10:00 GMT)

F-Secure is downgrading the alert level on Palyh (Sobig.B) since it reached its deadline.

The worm only spread until 31st of May, 2003 which makes it inactive after this date. Some machines might continue to send infected e-mail around even after the end of May only if the system time settings are incorrect.


UPDATE (2003-05-19 10:30 GMT)

F-Secure is raising the alert level on Palyh (also known as Mankx/Sobig.B) to level 1. The worm has gone worldwide and number of reported infections have increased drastically over the last 12 hours.

For more information on the worm see Global Sobig.B Virus Information Center:

http://www.F-secure.com/sobig/



Disinfection & Removal


Removal

F-Secure has created a special removal tool to remove the active Palyh infection and all its traces. The tool is available from

ftp://ftp.f-secure.com/anti-virus/tools/f-sobig.zip

Instructions for the removal are in

ftp://ftp.f-secure.com/anti-virus/tools/f-sobig.txt



Technical Details


UPDATE (2003-05-19 2:30 GMT)

Palyh is a massmailer e-mailer worm which also spreads through Windows network shares.

During late 18th of May / early 19th of May 2003, F-Secure received several submissions of this virus from USA, UK, Denmark and New Zealand.

The worm itself is Windows PE EXE file, written in Microsoft Visual C++, compressed by UPX. The size of the e-mail attachment varies between around 49000 and 54000 bytes. When uncompressed, the virus code is about 110kB in size.

The worm activates from infected emailS only if the user clicks on the infected attachment. After this the worm will install itself and starts to spread further.

While installing, the worm copies itself to the WINDOWS directory as "msccn32.exe". Then it registers itself in system registry to auto-run keys:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    System Tray = %WindowsDir%\msccn32.exe
  HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    System Tray = %WindowsDir%\msccn32.exe

Because of a bug the worm sometimes copies itself to wrong directories (such as root or current directory). In these cases the worm will only stay active until next reboot.


Spreading: email

To send infected messages the worm makes a direct connection to the default SMTP server. The worm collects e-mail addresses from .TXT, .EML, .HTML, .HTM, .DBX, .WAB files in all directrories on all available local drives.

The worm sends several different types of e-mail messages. However, they all look like they are coming from "support@microsoft.com".

These are the different versions of the e-mails:

From:

support@microsoft.com

Subject:

Re: My application
 Re: Movie
 Cool screensaver
 Screensaver
 Re: My details
 Your password
 Re: Approved (Ref: 3394-65467)
 Approved (Ref: 38446-263)
 Your details

Message Body:

All information is in the attached file.

Attached file name:

your_details.pif
 ref-394755.pif
 approved.pif
 password.pif
 doc_details.pif
 screen_temp.pif
 screen_doc.pif
 movie28.pif
 application.pif

The worm also creates a file called "hnks.ini" in the WINDOWS directory. This contains all the e-mail addresses that we're collected by the worm. If you have been infected by this worm, you might want to warn people on this list.


Spreading via network

The worm enumerates all accessible network resources (other computers in the network) and, if accesible, attempts to copy itself to their auto-start directories:

Windows\All Users\Start Menu\Programs\StartUp\
 Documents and Settings\All Users\Start Menu\Programs\Startup\


Updating

The worm downloads files from four Websites and executes them. As a result the worm is able to upgrade itself or install other applications, such as trojans.

The worm will only spread until 31st of May, 2003. After this, it won't try to replicate to other machines (but will still try to download and run further code). The time is based on local system time, so some machines will continue to send infected e-mail around even after the end of May.

[Kaspersky Lab and F-Secure, May 19th - June 2nd, 2003]



Detection

F-Secure Anti-Virus detects Palyh worm with the updates published on May 19th, 2003:

Detection Type: PC
Database: 2003-05-19_02





Submit a sample




Wondering if a file or URL is malicious? Submit a sample to our Lab for analysis via the Sample Analysis System (SAS)

Give And Get Advice




Give advice. Get advice. Share the knowledge on our free discussion forum.