[NTLUG:Discuss] Re: New Virus

Dennis Daupert ddaupert at csc.com
Wed May 21 08:43:15 CDT 2003 

Greg Edwards wrote:

> Is there some new virus out there that sends an attachment using
> support at microsoft.com as the from address?

I'm forced to use windoze at work, but my linux boxes are all doing fine :)

Virus Name:
Win32.Palyh.A
Aliases:
I-Worm.Palyh, Palyh, W32.HLLM.Ccn, W32/Palyh-A, W32/Palyh at MM, WORM_PALYH.A
Type:
Worm

Brief Summary:
W32.HLLW.Mankx at mm is a mass mailing worm that also propagates through
Windows
Netbios shares.  The worm uses its own SMTP engine to send its email
messages.

Technical Description
- ---------------------
W32.HLLW.Maax at mm is a mass mailing worm that sends itself, using its own
SMTP
engine, to email addresses that it finds in files with the following
extensions:
.wab
.dbx
.htm
.html
.eml
.txt

It typically arrives as an email message with the following properties:
From:
support at microsoft.com

Subject can be one of:
Your details
Approved (Ref: 38446-263)
Re: Approved (Ref: 3394-65467)
Your password
Re: My details
Screensaver
Cool screensaver
Re: Movie
Re: My application

With one of the following attachments:
your_details.pif
ref-394755.pif
application.pif
approved.pif
password.pif
doc_details.pif
screen_doc.pif
movie28.pif
screen_temp.pif

Message Body:
All information is in the attached file.

When the attachment is executed, the worm creates the following copy of
itself:
%Windir%\msccn32.exe

It then creates the following files:
%Windir%\hnks.ini
%Windir%\msdbrr.ini

The worm also creates the following registry entries so that it executes
every
time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"System
Tray"="%Windir%\msccn32.exe"

Symptoms
- --------
Creates the following files:
%Windir%\msccn32.exe
%Windir%\hnks.ini
%Windir%\msdbrr.ini

Creates the following registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"System
Tray"="%Windir%\msccn32.exe"

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"System
Tray"="%Windir%\msccn32.exe"

/dennis

---------------------------------------------------------------------------
Office phone: 817-762-8304
---------------------------------------------------------------------------
 Everything should be made as simple as possible,
but not simpler.


----------------------------------------------------------------------------------------

This is a PRIVATE message. If you are not the intended recipient, please
delete without copying and kindly advise us by e-mail of the mistake in
delivery. NOTE: Regardless of content, this e-mail shall not operate to
bind CSC to any order or other contract unless pursuant to explicit written
agreement or government initiative expressly permitting the use of e-mail
for such purpose.
----------------------------------------------------------------------------------------

More information about the Discuss mailing list