May 19, 2003, 8:53 AM — A new mass mailing e-mail worm is spreading on the Internet, masking itself as a message from Microsoft Corp.'s support organization.
The new worm is known both as W32/Palyh and W32.HLLW.Mankx@mm and arrives as an executable attachment to e-mail messages with a variety of subjects and messages. All messages containing the new virus purport to come from the same address: firstname.lastname@example.org, according to alerts posted by a number of leading antivirus software vendors.
Subject lines for messages delivering the virus include messages such as "Re: My application," "Your password," and "Approved (Ref: 38446-263)." Attachment files containing the new virus have a .PIF file extension and use names such as "password.pif," "doc_details.pif" and "ref-394755.pif," according to F-Secure Corp. of Helsinki, Finland.
The virus can only be released when a user clicks on the attachment file, F-Secure said.
Once released, however, the virus code modifies the Windows registry so that the worm program is launched whenever Windows is run. It also searches an infected computer for files containing e-mail addresses that it can mail itself to.
The Microsoft Windows address book as well as a variety of other files are searched for e-mail addresses, according to an alert by McAfee Security, part of Network Associates Inc.
A file, "hnks.ini" is created to hold all the e-mail messages that the worm locates and those addresses are targeted with e-mail messages from the infected machine that contain the worm, according to F-Secure.
The virus also looks for computers that are accessible through shared directories on a network and copies itself to those machines, F-Secure said.
Although the new worm preys upon machines running the Windows operating system, users do not need to have Microsoft's popular Outlook or Outlook Express e-mail programs installed for the worm to spread itself. Code in the new virus enables it to send out its own e-mail messages, according to an alert from Sophos PLC.
Leading antivirus vendors advised their customers to update their antivirus software to detect the new worm. Vendors also posted directions for stopping the virus and removing it from infected machines.
In addition, infected users might consider contacting the addresses listed in the virus's hnks.ini file, warning them about the infection, F-Secure said.
Microsoft is a frequent target of virus writers, who often disguise viruses and other attacks as messages or bulletins from Microsoft's technical support organization.
The Redmond, Washington, company's official policy is that it does not distribute any software using e-mail, preferring to use CDs or its Web site to dispense new software and software updates.