Selected viruses, spyware, and other threats: sorted alphabetically
|
|
||||||||||||||||||||||||||||||||||
Win32/Sobig.B |
Win32/Palyh.A
Win32/Palyh.A is a worm that spreads through e-mail attachments. As a sender is support@microsoft.com. In attachment is a file with PIF extension. Size of file is about 50 Kb. In this file is worm's body packed with modified UPX packer.
Message text is:
All information is in the attached file.
The e-mail's subject line is generated from this list:
Re: My application
Re: Movie
Cool screensaver
Screensaver
Re: My details
Your password
Re: Approved (ref: 3394-65467)
Approved (Ref: 38446-263)
Your details
The attachment uses one of these names:
application.pif
movie28.pif
screen_doc.pif
screen_temp.pif
doc_details.pif
password.pif
approved.pif
ref-394755.pif
your_details.pif
The E-mail addresses is worm searching in files with these extensions:
html
htm
dbx
wab
For an activation worm writes to the registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run the item System Tray with the value C:\WINDOWS\msccn32.exe. Worm creates the file hnks.ini on the disk and uses this own SMTP routine.
Worm is also able to spread on a shared disks through a record in this directories:
Documents and Settings\All Users\Start Menu\Programs\Startup
Windows\All Users\Start Menu\Programs\Startup
© 1992-2004 Eset s.r.o. All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission.