Fake Microsoft email spreads new worm

A new worm - which pretends to be a support message from Microsoft - is on the loose
Written by Patrick Gray, Contributor

A new mass-mailing worm has begun spreading through Australia, and despite its lack of social smarts, is still managing to replicate rapidly.

The Palyh, or Mankx worm, appears to come from support@microsoft.com, a forged address. The message body is invariably: "All information is in the attached file". Users should not open the attachment.

Symantec has upgraded the threat rating of the worm to 3/5 due to the large number of samples the company has received.

The payload is a PIF, or program information file. Upon execution, it self propagates using email addresses from files stored on the targeted system.

According to Jamie Gillespie, security analyst with AusCERT, the virus is a traditional mass-mailer.

"It appears to be using the address book as a single source at least", he said.

Anti-virus vendors have released signatures that can be used to detect this latest threat. The fact the worm wasn't "detectable" this morning could have contributed to its rapid propagation.

"Currently there is no public information regarding this virus," Gillespie told ZDNet Australia this morning, before the worm was identified and analysed. "Anti virus software is only as good as the signatures [so] 'zero-day' viruses can propagate quite quickly".

An element of reverse psychology could be at work, according to Computer Associates' security consultant Daniel Zatz. Because the email contains little information and doesn't pressure the recipient into opening the attachment could be a reason that people are in fact opening it, he told ZDNet Australia.

"Maybe the curiosity aspect of saying absolutely nothing is perhaps a better lure," he said.

Most large organisations should be protected because they block the .pif file extension, a practice advocated by Zatz, but that small to medium enterprises will probably be impacted.

For all security-related news, including updates on the latest viruses, hacking exploits and patches, check out ZDNet UK's Security News Section.

Let the editors know what you think in the Mailroom.

Editorial standards