Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Sobig.B

Win32/Palyh.A

Win32/Palyh.A is a worm that spreads through e-mail attachments. As a sender is support@microsoft.com. In attachment is a file with PIF extension. Size of file is about 50 Kb. In this file is worm's body packed with modified UPX packer.

Message text is:

All information is in the attached file.

The e-mail's subject line is generated from this list:

Re: My application
Re: Movie
Cool screensaver
Screensaver
Re: My details
Your password
Re: Approved (ref: 3394-65467)
Approved (Ref: 38446-263)
Your details

The attachment uses one of these names:

application.pif
movie28.pif
screen_doc.pif
screen_temp.pif
doc_details.pif
password.pif
approved.pif
ref-394755.pif
your_details.pif

The E-mail addresses is worm searching in files with these extensions:

html
htm
dbx
wab

For an activation worm writes to the registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run the item System Tray with the value C:\WINDOWS\msccn32.exe. Worm creates the file hnks.ini on the disk and uses this own SMTP routine.

Worm is also able to spread on a shared disks through a record in this directories:
Documents and Settings\All Users\Start Menu\Programs\Startup
Windows\All Users\Start Menu\Programs\Startup