The Palyh worm has rapidly spread across the Internet because of a clever trick that allows it to make itself appear to be coming from Microsoft support, experts said this morning.
Messages containing the worm appear to come from "firstname.lastname@example.org," but that address is actually spoofed. Users should be suspicious of such messages because Microsoft doesn't send executable files via e-mail, said Chris Belthoff, senior product marketing manager at U.K.-based antivirus software vendor Sophos Inc. "As it purported to be from Microsoft, it had a certain amount of pseudo-credibility," he said.
Palyh's social engineering appears to have worked on some end users. U.K.-based e-mail filtering company MessageLabs intercepted more than 65,000 copies of the worm on Monday. By midmorning EDT Tuesday, the company had stopped about 100,000 copies. At the worm's peak, MessageLabs was finding a copy of Palyh (or Mankx, as it's also known) in one out of every 215 messages.
Sophos sees the worm as more of a consumer threat. "We tell users not to open e-mail attachments from people they don't know, but home users would, like, say, 'Oh, I know Microsoft' and open it," Belthoff said.
Technically, Palyh is nothing unusual. It's a mass mailer that sends copies of itself with the .pif file extension. The worm can also spread itself through network file shares. It's written in Microsoft Visual C++ and packed with UPX.
If a user double-clicks on Palyh in a message, the worm copies itself into the Windows directory under the name "msccn32.exe," according to an advisory from Moscow-based antivirus vendor Kaspersky Labs. It's automatically launched when the system is started. However, a programming bug makes Palyh copy itself to the wrong directory sometimes, so autorun isn't possible.
After infecting a system, Palyh collects e-mail addresses from .txt, .eml, .html, .htm, .dbx and .wab (Windows Address Book) files on the hard drive. The worm sends copies of itself using its own SMTP engine messages. It uses a variety of subject lines such as "Your password" and "Re: My details," as well as "Approved (Ref:38446-263)." The body text of the message says, "All information is in the attached file."
An infected machine may have many e-mail addresses on its hard drive, so just one machine could spew out many copies of itself.
In many ways, Palyh resembles the SoBig worm, antivirus software vendor McAfee said in an alert. Like SoBig, outgoing messages sent by Palyh may have a closing quote omitted from the attachment's file name. Certain mail clients may remove the last character, so the file arrives with the .pi extension, rather than .pif.
Many companies strip .pif files because they have become a common disguise for worms, along with .exe, .scr, and .com file extensions. Virtually no companies have a legitimate business need to allow such files in.
FOR MORE INFORMATION:
FEEDBACK: What's been the biggest threat of the past two weeks: Fizzer, Palyh, LovGate?
Send your feedback to the SearchSecurity.com news team.