Threat description



UPDATE (2003-06-02 10:00 GMT)

F-Secure is downgrading the alert level on Palyh (Sobig.B) since it reached its deadline.

The worm only spread until 31st of May, 2003 which makes it inactive after this date. Some machines might continue to send infected e-mail around even after the end of May only if the system time settings are incorrect.

UPDATE (2003-05-19 10:30 GMT)

F-Secure is raising the alert level on Palyh (also known as Mankx/Sobig.B) to level 1. The worm has gone worldwide and number of reported infections have increased drastically over the last 12 hours.

For more information on the worm see Global Sobig.B Virus Information Center:



F-Secure has created a special removal tool to remove the active Palyh infection and all its traces. The tool is available from

Instructions for the removal are in

Technical Details

UPDATE (2003-05-19 2:30 GMT)

Palyh is a massmailer e-mailer worm which also spreads through Windows network shares.

During late 18th of May / early 19th of May 2003, F-Secure received several submissions of this virus from USA, UK, Denmark and New Zealand.

The worm itself is Windows PE EXE file, written in Microsoft Visual C++, compressed by UPX. The size of the e-mail attachment varies between around 49000 and 54000 bytes. When uncompressed, the virus code is about 110kB in size.

The worm activates from infected emailS only if the user clicks on the infected attachment. After this the worm will install itself and starts to spread further.

While installing, the worm copies itself to the WINDOWS directory as "msccn32.exe". Then it registers itself in system registry to auto-run keys:


 System Tray = %WindowsDir%\msccn32.exe

 System Tray = %WindowsDir%\msccn32.exe

Because of a bug the worm sometimes copies itself to wrong directories (such as root or current directory). In these cases the worm will only stay active until next reboot.

Spreading: email

To send infected messages the worm makes a direct connection to the default SMTP server. The worm collects e-mail addresses from .TXT, .EML, .HTML, .HTM, .DBX, .WAB files in all directrories on all available local drives.

The worm sends several different types of e-mail messages. However, they all look like they are coming from "".

These are the different versions of the e-mails:



Re: My application
Re: Movie
Cool screensaver
Re: My details
Your password
Re: Approved (Ref: 3394-65467)
Approved (Ref: 38446-263)
Your details

Message Body:

All information is in the attached file.

Attached file name:


The worm also creates a file called "hnks.ini" in the WINDOWS directory. This contains all the e-mail addresses that we're collected by the worm. If you have been infected by this worm, you might want to warn people on this list.

Spreading via network

The worm enumerates all accessible network resources (other computers in the network) and, if accesible, attempts to copy itself to their auto-start directories:

Windows\All Users\Start Menu\Programs\StartUp\
Documents and Settings\All Users\Start Menu\Programs\Startup\

The worm downloads files from four Websites and executes them. As a result the worm is able to upgrade itself or install other applications, such as trojans.

The worm will only spread until 31st of May, 2003. After this, it won't try to replicate to other machines (but will still try to download and run further code). The time is based on local system time, so some machines will continue to send infected e-mail around even after the end of May.

[Kaspersky Lab and F-Secure, May 19th - June 2nd, 2003]


F-Secure Anti-Virus detects Palyh worm with the updates published on May 19th, 2003:

Detection Type: PC

Database: 2003-05-19_02

Submit a Sample

Suspect a file or URL was wrongly detected? Send it to our Labs for further analysis

Submit a Sample

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

More Info