We have received a copy of yet another worm / virus that masquerades itself as an e-mail from support@microsoft.com. The virus propagates via network shares and uses several web sites to download updates.
Aliases: W32/Palyh@MM (McAfee), W32.HLLM.Ccn (Dialogue Sci), W32.HLLW.Mankx@mm (Symantec), W32/Palyh-A (Sophos)
Virus Characteristics:
From:

support@microsoft.com
Subject:

Re: My application

Re: Movie

Cool screensaver

Screensavers

Re: My details

Your password

Your details

Approved (Ref: 38446-263)

Re: Approved (Ref: 3394-65467)
Body:
All information is in the attached file.


Attachment:


Typically the attachment has a .pif extension, but this could be truncated to a .pi extension. Some possible attachment names include:
approved.pif

_approved.pif

password.pif

application.pif

screen_doc.pif

screen_temp.pif

movie28.pif

doc_details.pif

ref-394755.pif
Other Details:
Palyh will send itself to all e-mail addresses it finds in files with the following extensions:
.wab

.dbx

.htm

.html

.eml

.txt
The worm also creates a file called "hnks.ini" in the WINDOWS directory. This contains all the e-mail addresses that were collected by the worm.
The following Windows Registry items have been modified:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

System Tray = %WindowsDir%\msccn32.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

System Tray = %WindowsDir%\msccn32.exe
References:

http://www.symantec.com/avcenter/venc/data/w32.hllw.mankx@mm.html

http://www.f-secure.com/v-descs/palyh.shtml

http://www.sophos.com/virusinfo/analyses/w32palyha.html

http://vil.mcafee.com/dispVirus.asp?virus_k=100307

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_PALYH.A
http://www.viruslist.com/eng/viruslist.html?id=60521

http://www.microsoft.com/technet/security/virus/alerts/palyh.asp

Other News:

http://news.bbc.co.uk/1/hi/technology/3040247.stm



------------------------------------------------

Contact: isc@sans.org