A mass mailing e-mail worm is spreading on the Internet,
masking itself as a message from Microsoft's support
organisation.The worm, known both as W32/Palyh and
W32.HLLW.Mankx@mm, arrives as an executable attachment to e-mail
messages with a variety of subjects and messages. All messages
containing the virus purport to come from the same address:
support@microsoft.com, according to alerts posted by a number of
leading antivirus software suppliers.
Subject lines for messages delivering the
virus include messages such as "Re: My application," "Your
password," and "Approved (Ref: 38446-263)." Attachment files
containing the virus have a .PIF file extension and use names such
as "password.pif," "doc_details.pif" and "ref-394755.pif,"
according to F-Secure.
The virus can only be released when a user
clicks on the attachment file, F-Secure said.
Once released, however, the virus code
modifies the Windows registry so that the worm program is launched
whenever Windows is run. It also searches an infected computer for
files containing e-mail addresses to which it can mail itself.
The Microsoft Windows address book as well as
a variety of other files are searched for e-mail addresses,
according to an alert by McAfee Security, part of Network
Associates.
A file, "hnks.ini" is created to hold all the
e-mail messages that the worm locates and those addresses are
targeted with e-mail messages from the infected machine that
contain the worm, according to F-Secure.
The virus also looks for computers that are
accessible through shared directories on a network and copies
itself to those machines, F-Secure said.
Although the worm preys upon machines running
the Windows operating system, users do not need to have Microsoft's
Outlook or Outlook Express e-mail programs installed for the worm
to spread itself. Code in the virus enables it to send out its own
e-mail messages, according to an alert from Sophos.
Antivirus suppliers advised their customers to
update their antivirus software to detect the worm. Vendors also
posted directions for stopping the virus and removing it from
infected machines.
Microsoft policy is that it does not
distribute any software using e-mail, preferring to use CDs or its
website to dispense new software and software updates.
While the company does e-mail customers, it
does not send attachments and authenticates all messages with a
digital signature.
www.microsoft.com/technet/security/policy/swdist.asp