[THIN] VIRUS WARNING

• From: Jim Kenzig <jimkenz@xxxxxxxxxxxxxx>
• To: thin@xxxxxxxxxxxxx, windows2000@xxxxxxxxxxxxx,brainstem@xxxxxxxxxxxxx
• Date: Mon, 19 May 2003 09:24:29 -0400

If you receive an email from Support@xxxxxxxxxxxxx that has an attachment DO
NOT OPEN IT! This is a virus. Delete it immediately.  My mcaffee I updated
yesterday is not catching this one. Watch out!
Regards,
Jim Kenzig


VIRUS WARNING The Central Command® Emergency Virus Response Team? (EVRT?)
has received virus infection reports for the new Internet Worm/Palyh.A
<http://support.centralcommand.com/cgi-bin/command.cfg/php/enduser/std_adp.p
hp?p_refno=030518-000043>. Due to increased customer inquires and infection
reports the EVRT is issuing a VIRUS ALERT.

You are receiving this news letter because you are a subscriber to the
Central Command Virus News mailing list.

[ EVRT? Virus Warning issued for Worm/Palyh.A
<http://support.centralcommand.com/cgi-bin/command.cfg/php/enduser/std_adp.p
hp?p_refno=030518-000043> ]

Name: Worm/Palyh.A
<http://support.centralcommand.com/cgi-bin/command.cfg/php/enduser/std_adp.p
hp?p_refno=030518-000043>
Alias: Win32.Palyh-A
Type: Internet Worm
Discovered: May 18, 2003
Size: 52.955KB
Platform: Microsoft Windows 9x/ME/NT/2000/XP


Description:

Worm/Palyh.A
<http://support.centralcommand.com/cgi-bin/command.cfg/php/enduser/std_adp.p
hp?p_refno=030518-000043> is an Internet worm that spreads through e-mail by
using addresses it collects in the files with the following extensions,
.dbx, .eml, .htm, .html, .txt, and .wab.

The worm may arrive in via email in the following format:

From: support@xxxxxxxxxxxxx
Subject: (it will contain one of the following)

- Your Password
- Screensaver
- Re: Movie
- Your details
- Approved (Ref: 38446-263)
- Re: Approved (Ref: 3394-65467)
- Cool screensaver
- Re: My details
- Re: My application
- Re: Movie

Attachment: (it will contain one of the following)

- movie28.pif
- application.pif
- ref-394755.pif
- approved.pif
- doc_details.pif
- your_details.pif
- screen_temp.pif
- screen_doc.pif
- password.pif

If executed, the worm copies itself in the \windows\ directory under the
filename "mscon32.exe".

So that it gets run each time a user restart their computer the following
registry key gets added:

- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"System Tray"="C:\\WINDOWS\\MSCON32.EXE"

********************************************************
This Week's Sponsor - Emergent Online
EOL's Universal Printer new Features include:
Network Printing, Pagestreaming, 2400 DPI.
No Client Software Required!
http://www.go-eol.com/
**********************************************************

For Archives, to Unsubscribe, Subscribe or 
set Digest or Vacation mode use the below link:
http://thethin.net/citrixlist.cfm

• Follow-Ups:
  • [THIN] Re: VIRUS WARNING
    • From: abdellah

Other related posts:

• » [THIN] VIRUS WARNING
• » [THIN] Re: VIRUS WARNING
• » [THIN] Re: VIRUS WARNING
• » [THIN] Re: VIRUS WARNING

1. Home
2. thin
3. Archive
4. 05-2003

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---