[pchelpers] Re: Security Update--Beware it comes with attachment .exe file

Jackie, you're right to be suspicious. Here's C-Net's update:  
http://news.com.com/2100-1002-1007603.html
Worm dupes with fake Microsoft address 

By Matt Loney 
Special to CNET News.com
May 19, 2003, 7:21 AM PT


A new mass-mailing e-mail worm, which feigns a Microsoft.com origin, is 
spreading rapidly. Antivirus vendors say it can also spread via a local area 
network and can install "spyware" on a victim's PC. 
The Palyh, or Mankx, worm appears to come from support@xxxxxxxxxxxxx, a forged 
address. It contains a file which, upon execution, self-propagates using e-mail 
addresses from files stored on the targeted system, but which can also spread 
to other Windows machines on a local area network (LAN). Although the file has 
a .pi or .pif extension, it is an .exe file. And because Windows processes 
files according to their internal structure rather than their extension, 
Windows runs the file as soon as the recipient double-clicks on it. 

The worm appears to originate from the Netherlands, but more than 60 percent of 
e-mails containing it were originating from the United Kingdom early Monday, 
according to e-mail outsourcing firm MessageLabs. The U.K.-based company said 
its servers had stopped more than 34,000 copies of the worm as of Monday, with 
a peak infection rate that climbed to one Palyh worm in every 264 e-mails. 


The United States is the second most active country for the worm, with a 6 
percent share of infected e-mails, although antivirus experts expect this 
number to climb as the U.S. workday begins.

"The U.K. is the worst hit now," said Mark Toshak, virus analyst at 
MessageLabs. "We expect to see that change at (7 a.m. PDT) when people in the 
U.S. go into work and open their e-mails. It's Monday morning, and they might 
not have seen a warning or had a chance to update their antivirus packages. 
This virus does pretend that it's from support@xxxxxxxxxxxxxx And nine times 
out of 10, people will click on this." 

Palyh can gain access to targeted computers as an attached file or by writing 
itself to systems via a LAN, said antivirus software company Kaspersky Labs. 
The worm copies itself into the Windows directory under the name "MSCCN32.exe" 
and registers this file in the system registry's auto-run key so that it is 
placed into system memory and is automatically launched when the system boots. 
However, due to certain errors in its code, sometimes Palyh copies itself into 
a different directory and therefore occasionally the auto-run function is not 
triggered. 

When the worm copies itself correctly, according to Kaspersky's bulletin on the 
worm, it begins its spreading routine. "To do so via e-mail, Palyh scans for 
files with the extensions txt, eml, html, htm, dbx, wab, and selects lines from 
them that it believes to be e-mail addresses," the Russia-based company said. 
"Then Palyh circumvents the installed e-mail program to use the SMTP server to 
send out copies of itself to the found e-mail addresses." To spread over a LAN, 
Palyh copies itself to the Windows auto-run folders on other local machines. 

Kaspersky said that while the worm itself is not dangerous, it has the ability 
to load additional components--which could cause harm--from a remote Web 
server. "By doing so, Palyh can clandestinely install new versions of itself or 
impregnate infected systems with spyware programs," Kaspersky said.

So-called spyware is software that can install itself on a PC without the 
user's consent. It might monitor Web browsing habits or record passwords, 
credit card information or other e-commerce data for the purpose of relaying 
the data to a third party.

Palyh's author built into the program a temporary trigger: All worm routines 
other than the updating feature are active only until May 31. This peculiarity 
effectively dooms Palyh, according to Kaspersky, "because the server from which 
it downloads its updates will be closed in the near future." 

ZDNet UK's Matt Loney reported from London.


 

Jacqueline MacWhirter <jmacwhirter@xxxxxxxxx> wrote:

Did you get this I got a virus worm with it. Norton caught it and
quarrantined did any of you get this? I know Microsoft never sends any
attachments. What ever you do do not execute it-Jackie

Microsoft Corporation Partner
this is the latest version of security update, the
"May 2003, Cumulative Patch" update which eliminates
all known security vulnerabilities affecting Internet Explorer,
Outlook and Outlook Express as well as five newly
discovered vulnerabilities. Install now to protect your computer
from these vulnerabilities, the most serious of which could allow
an attacker to run executable on your system. This update includes
the functionality of all previously released patches.

System requirementsWin 9x/Me/2000/NT/XP
This update applies toMicrosoft Internet Explorer, version 4.01 and later
Microsoft Outlook, version 8.00 and later
Microsoft Outlook Express, version 4.01 and later
RecommendationCustomers should install the patch at the earliest
opportunity.
How to installRun attached file. Click Yes on displayed dialog box.
How to useYou don't need to do anything after installing this item.
Microsoft Product Support Services and Knowledge Base articles
can be found on the Microsoft Technical Support web site.
For security-related information about Microsoft products, please
visit the Microsoft Security Advisor web site, or Contact us.
Please do not reply to this message. It was sent from an unmonitored
e-mail address and we are unable to respond to any replies.
Thank you for using Microsoft products.
With friendly greetings,
Microsoft Internet Security Division
©2003 Microsoft Corporation. All rights reserved. The names of the actual
companies
and products mentioned herein may be the trademarks of their 


Cheers,
Ellen M.

---------------------------------
Do you Yahoo!?
The New Yahoo! Search - Faster. Easier. Bingo.

Regards, John Durham (list moderator) <http://modecideas.com/contact.html?sig>
Freelists login at http://www.freelists.org/cgi-bin/lsg2.cgi
List archives at http://www.freelists.org/archives/pchelpers
PC-HELPERS list subscribe/unsub at http://modecideas.com/discuss.htm?sig
Good advice is like good paint- it only works if applied.

Other related posts: