Palyh worm makes tracks in Australia

An e-mail purporting to be from Microsoft, but in fact a hoax carrying a computer worm, is causing a few headaches for Internet users across Australia today.

Most computer users will have arrived in the office this morning with the offending e-mail sent from along with a numerous amount of subjects lines such as: Approved (Ref: 38446-263); Your password; Re: My details; Re: My application; Screensaver or Re: Movie.

Following this in the body of the text is the line: 'All information is in the attached file'. And then the offending .pif attachment which has extensions such as: your_details.pif; approved.pif; password.pif; screen_doc.pif and movie28.pif.

The key to the worm is the PIF (Program Information file) extension said Computer Associates antivirus expert Daniel Zatz. "PIF hasn’t been used since the Windows 3.1 and DOS days," he said. PIF's are text files which can be used to load an application.

Zatz said most clever enterprises should have already disabled PIF extensions on e-mails, thereby preventing such files from entering a company's network and users desktops. SME and home users might not be so aware, and "probably" will get the worm he said.

The worm, known as Win32.Palyh.A surfaced over the weekend, according to Zatz.

For those who have downloaded the worm, its payload is not malicious. Just a nuisance. If executed it copies itself to the users hard drive in the Windows directory under the filename MSCON32.exe. After modifying the registry it looks up e-mail addresses in the users inbox in order to keep propagating itself.

However, its penetration has been high, with CA witnessing a "couple of dozen Australian users hit with it" so far, Zatz said. "It is very prevalent."

Zatz said the simplicity of the e-mail must have triggered people's curiosity to open the attachment because otherwise, it had nothing to "tempt" people to opening it -- like an image of a sexy tennis player as in the case of the Anna Kournikova virus, which surfaced two years ago.

Also of note is that it appears the payload trigger only activates on dates prior to May 31. This means if the attachment is activated after that date, the worm will not propagate itself, Zatz said.

People who have already downloaded the worm should go to any leading antivirus sites for the removal procedure.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about CA TechnologiesMicrosoft

Show Comments