This is a very recent virus which comes with an email which appears to be from Microsoft Support so I thought I should make you all aware of it. The Palyh Virus aka W32/Sobig.b@MM Info from McAfee's Site Virus Information Name: W32/Sobig.b@MM Risk Assessment - Home Users: Medium - Corporate Users: Medium Date Discovered: 5/18/2003 Date Added: 5/18/2003 Origin: Unknown Length: approx. 50 KBytes Type: Internet Worm SubType: E-mail worm DAT Required: 4265 Virus Characteristics -- Update 05/21/03 -- Starting from the 4266 DATs (released 05/21/03), this virus has been renamed from W32/Palyh@MM to W32/Sobig.b@MM in order to correctly identify it as a new variant of W32/Sobig@MM. -- Update 05/18/03 -- Detection and cleaning for this worm is included in the 4265 DATs, which have been released today. This worm bears strong similarities to W32/Sobig@MM. It is written in MSVC and is packed with UPX. The worm propagates via email and over network shares. It contains its own SMTP engine for constructing outgoing messages. Mail Propagation The worm mails itself to recipients extracted from the victim machine, constructing messages using its own SMTP engine. Similarly to W32/Sobig@MM, the outgoing messages constructed by the worm may have a closing quote omitted from the attachment filename. This may cause certain mail clients to remove a character from the remaining filename, thus attachments may have a ".PI" extension (as opposed to ".PIF"). Target email addresses are extracted from files on the victim machine with the following extensions: WAB DBX HTM HTML EML TXT The worm may arrive in an email with the following characteristics: From: support@microsoft.com Subject: Re: My application Re: Movie Cool screensaver Screensavers Re: My details Your password Re: Approved (Ref: 3394-65467) Approved (Ref: 38446-263) Your details Attachment: Note: As mentioned above, the file extension may be truncated to .PI instead of the intended .PIF. approved.pif ref-394755.pif password.pif ref-394755.pif application.pif screen_doc.pif screen_temp.pif movie28.pif download1053122425102485703.uue doc_details.pif _approved.pif Message Body: All information is in the attached file. Share Propagation The worm enumerates network shares. It tries to copy itself to the following network locations if the paths are accessible: \Documents and Settings\All Users\Start Menu\Programs\Startup\ \Windows\All Users\Start Menu\Programs\Startup\ Installation Upon execution, the worm drops the following files into the %windir% directory: "msccn32.exe" (approx 50kB) (a copy of itself) "hnks.ini" (configuration file) "mdbrr.ini" (configuration file) The following Registry keys are added to hook system startup: HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Run "System Tray" = %WinDir%\msccn32.exe HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\Run "System Tray" = %WinDir%\msccn32.exe (where %WinDir% is the default Windows directory, for example C:\WINNT, C:\WINDOWS etc.) Indications of Infection Existence of the files and Registry keys detailed above. Method of Infection This worm propagates via email and network shares. The worm contains a routine which retrieves and checks the system date/time. If the date matches 31st May 2003 (or later), the worm no longer propagates (it will successfully install itself on target machines however). Removal Instructions Complete detection and removal of this threat will be supplied in the specified DATs. Aliases I-Worm.Sobig.b (AVP), W32.HLLW.Mankx@mm (NAV) , W32.Sobig.B@mm (NAV), W32/Palyh (Panda), W32/Palyh-A (Sophos), W32/Palyh@MM, W32/Sobig.b@MM, W32/Sobig.B@mm (F-Prot), Win32.HLLM.Reteras.2 (Dialogue Sci) , Win32.Palyh.A (CA), WORM_PALYH.A (Trend) - o -