Worm dupes with fake Microsoft address
A new e-mail worm, which feigns a Microsoft.com origin, is spreading rapidly. Antivirus vendors say it can also spread via LANs and can install "spyware" on a victim's PC.
The Palyh, or Mankx, worm appears to come from support@microsoft.com, a forged address. It contains a file which, upon execution, self-propagates using e-mail addresses from files stored on the targeted system, but which can also spread to other Windows machines on a local area network (LAN). Although the file has a .pi or .pif extension, it is an .exe file. And because Windows processes files according to their internal structure rather than their extension, Windows runs the file as soon as the recipient double-clicks on it.
The worm appears to originate from the Netherlands, but more than 60 percent of e-mails containing it were originating from the United Kingdom early Monday, according to e-mail outsourcing firm MessageLabs. The U.K.-based company said its servers had stopped more than 34,000 copies of the worm as of Monday, with a peak infection rate that climbed to one Palyh worm in every 264 e-mails.
The United States is the second most active country for the worm, with a 6 percent share of infected e-mails, although antivirus experts expect this number to climb as the U.S. workday begins.
"The U.K. is the worst hit now," said Mark Toshak, virus analyst at MessageLabs. "We expect to see that change at (7 a.m. PDT) when people in the U.S. go into work and open their e-mails. It's Monday morning, and they might not have seen a warning or had a chance to update their antivirus packages. This virus does pretend that it's from support@microsoft.com. And nine times out of 10, people will click on this."
Palyh can gain access to targeted computers as an attached file or by writing itself to systems via a LAN, said antivirus software company Kaspersky Labs. The worm copies itself into the Windows directory under the name "MSCCN32.exe" and registers this file in the system registry's auto-run key so that it is placed into system memory and is automatically launched when the system boots. However, due to certain errors in its code, sometimes Palyh copies itself into a different directory and therefore occasionally the auto-run function is not triggered.
When the worm copies itself correctly, according to Kaspersky's bulletin on the worm, it begins its spreading routine. "To do so via e-mail, Palyh scans for files with the extensions txt, eml, html, htm, dbx, wab, and selects lines from them that it believes to be e-mail addresses," the Russia-based company said. "Then Palyh circumvents the installed e-mail program to use the SMTP server to send out copies of itself to the found e-mail addresses." To spread over a LAN, Palyh copies itself to the Windows auto-run folders on other local machines.
Kaspersky said that while the worm itself is not dangerous, it has the ability to load additional components--which could cause harm--from a remote Web server. "By doing so, Palyh can clandestinely install new versions of itself or impregnate infected systems with spyware programs," Kaspersky said.
So-called spyware is software that can install itself on a PC without the user's consent. It might monitor Web browsing habits or record passwords, credit card information or other e-commerce data for the purpose of relaying the data to a third party.
Palyh's author built into the program a temporary trigger: All worm routines other than the updating feature are active only until May 31. This peculiarity effectively dooms Palyh, according to Kaspersky, "because the server from which it downloads its updates will be closed in the near future."
ZDNet UK's Matt Loney reported from London.