The worm, known both as W32/Palyh and [email protected], arrives as an executable attachment to e-mail messages with a variety of subjects and messages. All messages containing the virus purport to come from the same address: [email protected], according to alerts posted by a number of leading antivirus software suppliers.
Subject lines for messages delivering the virus include messages such as "Re: My application," "Your password," and "Approved (Ref: 38446-263)." Attachment files containing the virus have a .PIF file extension and use names such as "password.pif," "doc_details.pif" and "ref-394755.pif," according to F-Secure.
The virus can only be released when a user clicks on the attachment file, F-Secure said.
Once released, however, the virus code modifies the Windows registry so that the worm program is launched whenever Windows is run. It also searches an infected computer for files containing e-mail addresses to which it can mail itself.
The Microsoft Windows address book as well as a variety of other files are searched for e-mail addresses, according to an alert by McAfee Security, part of Network Associates.
A file, "hnks.ini" is created to hold all the e-mail messages that the worm locates and those addresses are targeted with e-mail messages from the infected machine that contain the worm, according to F-Secure.
The virus also looks for computers that are accessible through shared directories on a network and copies itself to those machines, F-Secure said.
Although the worm preys upon machines running the Windows operating system, users do not need to have Microsoft's Outlook or Outlook Express e-mail programs installed for the worm to spread itself. Code in the virus enables it to send out its own e-mail messages, according to an alert from Sophos.
Antivirus suppliers advised their customers to update their antivirus software to detect the worm. Vendors also posted directions for stopping the virus and removing it from infected machines.
Microsoft policy is that it does not distribute any software using e-mail, preferring to use CDs or its website to dispense new software and software updates.
While the company does e-mail customers, it does not send attachments and authenticates all messages with a digital signature. www.microsoft.com/technet/security/policy/swdist.asp