F-Secure is downgrading the alert level on Palyh (Sobig.B) since it reached its deadline.
The worm only spread until 31st of May, 2003 which makes it inactive after this date. Some machines might continue to send infected email around even after the end of May only if the system time settings are incorrect.
F-Secure is raising the alert level on Palyh (also known as Mankx/Sobig.B) to level 1. The worm has gone worldwide and number of reported infections have increased drastically over the last 12 hours.
For more information on the worm see Global Sobig.B Virus Information Center:
F-Secure has created a special removal tool to remove the active Palyh infection and all its traces. The tool is available from
Instructions for the removal are in
Palyh is a massmailer emailer worm which also spreads through Windows network shares.
During late 18th of May / early 19th of May 2003, F-Secure received several submissions of this virus from USA, UK, Denmark and New Zealand.
The worm itself is Windows PE EXE file, written in Microsoft Visual C++, compressed by UPX. The size of the email attachment varies between around 49000 and 54000 bytes. When uncompressed, the virus code is about 110kB in size.
The worm activates from infected emailS only if the user clicks on the infected attachment. After this the worm will install itself and starts to spread further.
While installing, the worm copies itself to the WINDOWS directory as "msccn32.exe". Then it registers itself in system registry to auto-run keys:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run System Tray = %WindowsDir%\msccn32.exe HKLM\Software\Microsoft\Windows\CurrentVersion\Run System Tray = %WindowsDir%\msccn32.exe
Because of a bug the worm sometimes copies itself to wrong directories (such as root or current directory). In these cases the worm will only stay active until next reboot.
To send infected messages the worm makes a direct connection to the default SMTP server. The worm collects email addresses from .TXT, .EML, .HTML, .HTM, .DBX, .WAB files in all directrories on all available local drives.
The worm sends several different types of email messages. However, they all look like they are coming from "email@example.com".
These are the different versions of the emails:
Re: My application Re: Movie Cool screensaver Screensaver Re: My details Your password Re: Approved (Ref: 3394-65467) Approved (Ref: 38446-263) Your details
All information is in the attached file.
Attached file name:
your_details.pif ref-394755.pif approved.pif password.pif doc_details.pif screen_temp.pif screen_doc.pif movie28.pif application.pif
The worm also creates a file called "hnks.ini" in the WINDOWS directory. This contains all the email addresses that we're collected by the worm. If you have been infected by this worm, you might want to warn people on this list.
The worm enumerates all accessible network resources (other computers in the network) and, if accesible, attempts to copy itself to their auto-start directories:
Windows\All Users\Start Menu\Programs\StartUp\ Documents and Settings\All Users\Start Menu\Programs\Startup\
The worm downloads files from four Websites and executes them. As a result the worm is able to upgrade itself or install other applications, such as trojans.
The worm will only spread until 31st of May, 2003. After this, it won't try to replicate to other machines (but will still try to download and run further code). The time is based on local system time, so some machines will continue to send infected email around even after the end of May.
[Kaspersky Lab and F-Secure, May 19th - June 2nd, 2003]
Date Created: -
Date Last Modified: -