Classification

Category: Malware

Type: -

Aliases: Palyh, Mankx, Sobig.B

Summary


UPDATE (2003-06-02 10:00 GMT)

F-Secure is downgrading the alert level on Palyh (Sobig.B) since it reached its deadline.

The worm only spread until 31st of May, 2003 which makes it inactive after this date. Some machines might continue to send infected email around even after the end of May only if the system time settings are incorrect.

UPDATE (2003-05-19 10:30 GMT)

F-Secure is raising the alert level on Palyh (also known as Mankx/Sobig.B) to level 1. The worm has gone worldwide and number of reported infections have increased drastically over the last 12 hours.

For more information on the worm see Global Sobig.B Virus Information Center:

https://www.F-secure.com/sobig/

Removal


Removal

F-Secure has created a special removal tool to remove the active Palyh infection and all its traces. The tool is available from

ftp://ftp.f-secure.com/anti-virus/tools/f-sobig.zip

Instructions for the removal are in

ftp://ftp.f-secure.com/anti-virus/tools/f-sobig.txt

Knowledge Base

Find the latest advice in our Community Knowledge Base.

About the product

See the manual for your F-Secure product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details


UPDATE (2003-05-19 2:30 GMT)

Palyh is a massmailer emailer worm which also spreads through Windows network shares.

During late 18th of May / early 19th of May 2003, F-Secure received several submissions of this virus from USA, UK, Denmark and New Zealand.

The worm itself is Windows PE EXE file, written in Microsoft Visual C++, compressed by UPX. The size of the email attachment varies between around 49000 and 54000 bytes. When uncompressed, the virus code is about 110kB in size.

The worm activates from infected emailS only if the user clicks on the infected attachment. After this the worm will install itself and starts to spread further.

While installing, the worm copies itself to the WINDOWS directory as "msccn32.exe". Then it registers itself in system registry to auto-run keys:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

 System Tray = %WindowsDir%\msccn32.exe
 HKLM\Software\Microsoft\Windows\CurrentVersion\Run

 System Tray = %WindowsDir%\msccn32.exe

Because of a bug the worm sometimes copies itself to wrong directories (such as root or current directory). In these cases the worm will only stay active until next reboot.

Spreading: email

To send infected messages the worm makes a direct connection to the default SMTP server. The worm collects email addresses from .TXT, .EML, .HTML, .HTM, .DBX, .WAB files in all directrories on all available local drives.

The worm sends several different types of email messages. However, they all look like they are coming from "support@microsoft.com".

These are the different versions of the emails:

From:

support@microsoft.com

Subject:

Re: My application
Re: Movie
Cool screensaver
Screensaver
Re: My details
Your password
Re: Approved (Ref: 3394-65467)
Approved (Ref: 38446-263)
Your details

Message Body:

All information is in the attached file.

Attached file name:

your_details.pif
ref-394755.pif
approved.pif
password.pif
doc_details.pif
screen_temp.pif
screen_doc.pif
movie28.pif
application.pif

The worm also creates a file called "hnks.ini" in the WINDOWS directory. This contains all the email addresses that we're collected by the worm. If you have been infected by this worm, you might want to warn people on this list.

Spreading via network

The worm enumerates all accessible network resources (other computers in the network) and, if accesible, attempts to copy itself to their auto-start directories:

Windows\All Users\Start Menu\Programs\StartUp\
Documents and Settings\All Users\Start Menu\Programs\Startup\
Updating

The worm downloads files from four Websites and executes them. As a result the worm is able to upgrade itself or install other applications, such as trojans.

The worm will only spread until 31st of May, 2003. After this, it won't try to replicate to other machines (but will still try to download and run further code). The time is based on local system time, so some machines will continue to send infected email around even after the end of May.

[Kaspersky Lab and F-Secure, May 19th - June 2nd, 2003]