Palyh-A worm: E-mail executables should be barred, says expert

Automatic software security measures can ensure malicious executable and program files such as that in the latest W32/Palyh-A e-mail worm do not make it into users’ inboxes, a security expert claims.

Companies that block Windows–based programs at the mail gateway will help to both prevent and reduce the spread of self-propagating viruses across the Internet, according to Paul Ducklin, Sophos head of technology for Asia Pacific

Ducklin’s comments follow the announcement over the weekend of the latest W32/Palyh-A e-mail worm. The offending e-mail, which purports to come from support@microsoft.com, carries a hoax Windows program with the file extension “.pif” (program information file). PIF is an older progamming file type that was used in Windows version 3.1 and DOS as a shortcut for loading an application. The W32/Palyh-A attachment is accompanied by the message text “All information is in the attached file”.

Although the worm is not technically malicious, opening the attachment allows the file to copy itself to the user’s PC Windows folder and then send the .pif-based program to any e-mail address stored on the hard drive.

Ducklin said the huge risks associated with accepting program files such as .pif, .vbs (visual basic script) or the more common .exe (executable) as attachments via e-mail outweighs the usefulness of distributing such files in this manner.

“There’s no business sense for distributing programs via e-mail,” he said.

To illustrate the point, Ducklin said six of the top 10 viruses reported to Sophos in April spread as Windows programs inside e-mails.

“By getting rid of these viruses through e-mail, you’re likely to protect yourself from future worms like Palyh-A,” he said.

Businesses could also block files that they don’t need but which might otherwise be useful to other companies, such as .doc files, he said, as a way of reducing their virus risk.

But despite the introduction of many straightforward mail monitoring software products, many companies are yet to take that step and block the exchange of programs, Ducklin said.

“We continue to hear administrators saying that it would be ‘unbusinesslike’ to block executable e-mail attachments. What many of them seem to mean is that their users still haven’t allowed themselves to be weaned off joke programs like ‘frog-in-a-blender’, which are commonly circulated by e-mail for amusement,” he said.

“It’s unfortunate that simply disallowing programs in e-mail, as a matter of corporate policy, hasn’t caught on as an equally important part of ‘best practice’.”

Ducklin also said smaller SME organisations can benefit from implementing e-mail monitoring or scanning programs in their operations.

“You don’t need a terribly powerful machine [to run these programs],” he said.

Alternatively, SMEs could sign up for a similar e-mail scanning service with their ISP, he said.

Both businesses and home users should also have regularly updated antivirus desktop products in place as an “extra layer of protection” against viruses, he added.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about GatewayMicrosoftSophos

Show Comments