Classification

Category :

Malware

Type :

-

Aliases :

Palyh, Mankx, Sobig.B

Summary

UPDATE (2003-06-02 10:00 GMT)

F-Secure is downgrading the alert level on Palyh (Sobig.B) since it reached its deadline.

The worm only spread until 31st of May, 2003 which makes it inactive after this date. Some machines might continue to send infected email around even after the end of May only if the system time settings are incorrect.

UPDATE (2003-05-19 10:30 GMT)

F-Secure is raising the alert level on Palyh (also known as Mankx/Sobig.B) to level 1. The worm has gone worldwide and number of reported infections have increased drastically over the last 12 hours.

For more information on the worm see Global Sobig.B Virus Information Center:

https://www.F-secure.com/sobig/

Removal

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

UPDATE (2003-05-19 2:30 GMT)

Palyh is a massmailer emailer worm which also spreads through Windows network shares.

During late 18th of May / early 19th of May 2003, F-Secure received several submissions of this virus from USA, UK, Denmark and New Zealand.

The worm itself is Windows PE EXE file, written in Microsoft Visual C++, compressed by UPX. The size of the email attachment varies between around 49000 and 54000 bytes. When uncompressed, the virus code is about 110kB in size.

The worm activates from infected emailS only if the user clicks on the infected attachment. After this the worm will install itself and starts to spread further.

While installing, the worm copies itself to the WINDOWS directory as "msccn32.exe". Then it registers itself in system registry to auto-run keys:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

 System Tray = %WindowsDir%\msccn32.exe
 HKLM\Software\Microsoft\Windows\CurrentVersion\Run

 System Tray = %WindowsDir%\msccn32.exe

Because of a bug the worm sometimes copies itself to wrong directories (such as root or current directory). In these cases the worm will only stay active until next reboot.

Spreading: email

To send infected messages the worm makes a direct connection to the default SMTP server. The worm collects email addresses from .TXT, .EML, .HTML, .HTM, .DBX, .WAB files in all directrories on all available local drives.

The worm sends several different types of email messages. However, they all look like they are coming from "support@microsoft.com".

These are the different versions of the emails:

From:

support@microsoft.com

Subject:

Re: My application
Re: Movie
Cool screensaver
Screensaver
Re: My details
Your password
Re: Approved (Ref: 3394-65467)
Approved (Ref: 38446-263)
Your details

Message Body:

All information is in the attached file.

Attached file name:

your_details.pif
ref-394755.pif
approved.pif
password.pif
doc_details.pif
screen_temp.pif
screen_doc.pif
movie28.pif
application.pif

The worm also creates a file called "hnks.ini" in the WINDOWS directory. This contains all the email addresses that we're collected by the worm. If you have been infected by this worm, you might want to warn people on this list.

Spreading via network

The worm enumerates all accessible network resources (other computers in the network) and, if accesible, attempts to copy itself to their auto-start directories:

Windows\All Users\Start Menu\Programs\StartUp\
Documents and Settings\All Users\Start Menu\Programs\Startup\

Updating

The worm downloads files from four Websites and executes them. As a result the worm is able to upgrade itself or install other applications, such as trojans.

The worm will only spread until 31st of May, 2003. After this, it won't try to replicate to other machines (but will still try to download and run further code). The time is based on local system time, so some machines will continue to send infected email around even after the end of May.

[Kaspersky Lab and F-Secure, May 19th - June 2nd, 2003]