A new mass-mailing worm that spread through Australia overnight appears to have hit the UK hard on Monday morning.
The Palyh, or Mankx worm, appears to come from firstname.lastname@example.org, a forged address. It contains a file which, upon execution, self-propagates using email addresses from files stored on the targeted system, but which can also spread to other Windows machines on a LAN. Although the file has a .PI or .PIF extension, it is a .EXE file, and because Windows processes files according to their internal structure than their extension, Windows runs the file as soon as the user double clicks on it.
Although the worm appears to originate from the Netherlands, over 60 percent of emails containing it were on Monday morning originating from the UK, according to email outsourcing firm MessageLabs. The company said its servers had stopped over 20,000 copies of the worm as of midday on Monday, with interception rates climbing to over 2,000 an hour and a peak infection rate that has climbed to one Palyh worm in every 500 emails.
The US is the second most active country for the worm, with a 6 percent share of infected emails, although antivirus experts expect this number to climb as America wakes up. "The UK is the worst hit now," said Mark Toshak, virus analyst at MessageLabs. "We expect to see that change at 2.00 p.m. GMT when people in the US go into work and open their emails. It's Monday morning, and they might not have seen a warning or had a chance to update their antivirus packages. This virus does pretend that it's from email@example.com, and nine times out of ten people will click on this."
Palyh can gain access to targeted computers as an attached file or by writing itself to systems via local area networks, said antivirus software company Kaspersky Labs. The worm copies itself into the Windows directory under the name "MSCCN32.EXE" and registers this file in the system registry's auto-run key so that it is placed into system memory and is automatically launched when the system boots. However, due to certain errors in its code, sometimes Palyh copies itself into a different directory and therefore occasionally the auto-run function is not triggered.
When the worm copies itself correctly, said Kaspersky, it begins its spreading routine. "To do so via email, Palyh scans for files with the extensions TXT, EML, HTML, HTM, DBX, WAB, and selects lines from them that it believes to be email addresses," the company said. "Then Palyh circumvents the installed email program to use the SMTP server to send out copies of itself to the found email addresses." To spread over a LAN, Palyh copies itself to the Windows auto-run folders on other local machines.
Kaspersky said that while the worm itself is not dangerous, it has the ability to load additional components --- which could cause harm -- from a remote Web server. "By doing so," said Kasperksy, "Palyh can clandestinely install new versions of itself or impregnate infected systems with spyware programs."
Palyh's author built into the program a temporary trigger -- all worm routines other than the updating feature are active only until 31 May, 2003. This peculiarity effectively dooms Palyh, said Kaspersky, "because the server from which it downloads its updates will be closed in the near future."