Threat Center Threats Explained Threat Encyclopedia Threat Blog Security Tips Case Studies White Papers Newsletter Signup
 

Win32/Palyh.A


Win32/Palyh.A

Win32/Palyh.A is a worm that spreads through e-mail attachments. As a sender is support@microsoft.com. In attachment is a file with PIF extension. Size of file is about 50 Kb. In this file is worm's body packed with modified UPX packer.

Message text is:

All information is in the attached file.

The e-mail's subject line is generated from this list:

Re: My application
Re: Movie
Cool screensaver
Screensaver
Re: My details
Your password
Re: Approved (ref: 3394-65467)
Approved (Ref: 38446-263)
Your details

The attachment uses one of these names:

application.pif
movie28.pif
screen_doc.pif
screen_temp.pif
doc_details.pif
password.pif
approved.pif
ref-394755.pif
your_details.pif

The E-mail addresses is worm searching in files with these extensions:

html
htm
dbx
wab

For an activation worm writes to the registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run the item System Tray with the value C:\WINDOWS\msccn32.exe. Worm creates the file hnks.ini on the disk and uses this own SMTP routine.

Worm is also able to spread on a shared disks through a record in this directories:
Documents and Settings\All Users\Start Menu\Programs\Startup
Windows\All Users\Start Menu\Programs\Startup



PROTECT YOUR COMPUTER!
ESETs NOD32 antivirus software provides comprehensive, easy-to-use, and affordable protection from todays and tomorrows threats. We put the malware expert inside the software, so you don’t have to become one.

DOWNLOAD ESET NOD32 ANTI VIRUS SOFTWARE

 

 
Top of Page Back One Page Print this Page