Jump to content


Virus Warning


  • Please log in to reply
50 replies to this topic

#1 OFFLINE   LilBambi

LilBambi

    Australisches Googler

  • Forum Admins
  • 22,548 posts

Posted 19 May 2003 - 11:47 AM

Well, before I even got word about this one this morning, I had already received an email claiming it was --From: microsoft.comSubject line: Approved (Ref: 38446-263) No attachment although it referenced one. My ISP removes known viruses before sending emails on to me, so I am sure that is why there was no attachment.I deleted it with no ill effect but as you will see from the following Symantec article, it was discovered the 18th and it is what Symantec classes as a Category 3 already!w32.hllw.mankx@mm.htmlIt almost looks like the Virus writer was testing the waters with this one. No really damaging payload to be speaking about (except the fact that it IS a MASS MAILING WORM with its own SMTP server built in) and it 'expires' at the end of this month. But boy, if that was what they were doing, I think they have proven they could do some real damage if they wanted to.  :D
Bambi
AKA Fran

Posted Image
My Public Key for Email :: BambisMusings Blog :: Fran's Computer Services Blog :: MyPassionIsBooks Blog :: 5BuckReview :: CNIRadio
"The Net interprets censorship as damage and routes around it." ~John Gilmore (Time Magazine, Dec 6, 1993)

#2 OFFLINE   nlinecomputers

nlinecomputers

    Discussion Deity

  • No Longer a Member
  • PipPipPipPipPipPipPipPipPipPipPipPip
  • 3,932 posts

Posted 19 May 2003 - 02:47 PM

Hi everyone.Better update your virus scanners.  I just got sent a copy of Worm.Palyh.A in email.  This is a brand new virus only 18 hours old.  I got an update THIS MORNING from AVG and got sent the infected file 3 hours later.  Somebody that has my email address in its address book is infected and it came from a rr.com email address.  So all you guys using Road Runner ISP had best check your systems.Tech details on the virus can be had here:http://www.trendmicr...me=WORM_PALYH.A
Nathan Williams, N-Line Computers

How to kill a programmer:  Give him a shampoo bottle.  Lather, Rinse, Repeat.

#3 OFFLINE   Borst

Borst

    Message Adept

  • Members
  • PipPipPip
  • 35 posts

Posted 19 May 2003 - 02:51 PM

Thanks for the heads up!

#4 OFFLINE   LilBambi

LilBambi

    Australisches Googler

  • Forum Admins
  • 22,548 posts

Posted 19 May 2003 - 02:52 PM

UPDATE:This one has apparently been identified as the SoBig Worm now!W32.sobig.b@mm
Bambi
AKA Fran

Posted Image
My Public Key for Email :: BambisMusings Blog :: Fran's Computer Services Blog :: MyPassionIsBooks Blog :: 5BuckReview :: CNIRadio
"The Net interprets censorship as damage and routes around it." ~John Gilmore (Time Magazine, Dec 6, 1993)

#5 OFFLINE   LilBambi

LilBambi

    Australisches Googler

  • Forum Admins
  • 22,548 posts

Posted 19 May 2003 - 02:57 PM

nlinecomputers --I combined our two threads ... same thing different names. Liked your Topic Title better but modified the description somewhat.  ;)
Bambi
AKA Fran

Posted Image
My Public Key for Email :: BambisMusings Blog :: Fran's Computer Services Blog :: MyPassionIsBooks Blog :: 5BuckReview :: CNIRadio
"The Net interprets censorship as damage and routes around it." ~John Gilmore (Time Magazine, Dec 6, 1993)

#6 OFFLINE   nlinecomputers

nlinecomputers

    Discussion Deity

  • No Longer a Member
  • PipPipPipPipPipPipPipPipPipPipPipPip
  • 3,932 posts

Posted 19 May 2003 - 03:35 PM

Fran,No problem.  Great minds think alike!  15 infected messages so far.This is no drill.  Man your battle stations!  Ooouga! Ooouga!
Nathan Williams, N-Line Computers

How to kill a programmer:  Give him a shampoo bottle.  Lather, Rinse, Repeat.

#7 OFFLINE   LilBambi

LilBambi

    Australisches Googler

  • Forum Admins
  • 22,548 posts

Posted 19 May 2003 - 08:51 PM

nlinecomputers, on May 19 2003, 03:35 PM, said:

Fran,No problem.  Great minds think alike!  15 infected messages so far.This is no drill.  Man your battle stations!  Ooouga! Ooouga!
LOL!  :o Wow! I haven't received any more personally. But I am sure I will hear from some clients over this one.
Bambi
AKA Fran

Posted Image
My Public Key for Email :: BambisMusings Blog :: Fran's Computer Services Blog :: MyPassionIsBooks Blog :: 5BuckReview :: CNIRadio
"The Net interprets censorship as damage and routes around it." ~John Gilmore (Time Magazine, Dec 6, 1993)

#8 OFFLINE   GolfProRM

GolfProRM

    Mr. Incredible

  • Forum MVP
  • 2,910 posts

Posted 19 May 2003 - 08:53 PM

Got one earlier this afternoon...  Glad I've got this forum to keep me informed!!  Better to not have to even deal with this virus than have to deal with getting rid of it! :o

#9 OFFLINE   LilBambi

LilBambi

    Australisches Googler

  • Forum Admins
  • 22,548 posts

Posted 20 May 2003 - 12:35 PM

Yes, this worm has definitely been upgraded quickly. Hope it doesn't get any worse!Because it is so versatile of a worm, it can hit many people (in Windows that is), very quickly.I have enabled read messages in plain text only in Outlook Express. I also turn the attachment feature on/off as needed, and disable the Preview Pane entirely.Those three things alone make using Lookout Express, (oops, little slip there...), I mean, Outlook Express much safer to use.  And since it really is such a great little program overall, adding these safety features (which are built in to OE 6.x, BTW), certainly makes the overall experience much safer.Plus I use the message source to help me decide if I want to even open a message in the first place. ;)I just wish Microsoft would add the ability to have a button to toggle on/off for the attachment feature and the plain text feature right from the button bar. (Hmmm, wonder if Microsoft has a wishlist email address? LOL!)
Bambi
AKA Fran

Posted Image
My Public Key for Email :: BambisMusings Blog :: Fran's Computer Services Blog :: MyPassionIsBooks Blog :: 5BuckReview :: CNIRadio
"The Net interprets censorship as damage and routes around it." ~John Gilmore (Time Magazine, Dec 6, 1993)

#10 OFFLINE   GolfProRM

GolfProRM

    Mr. Incredible

  • Forum MVP
  • 2,910 posts

Posted 20 May 2003 - 01:28 PM

We just an email warning at work sent from a Microsoft exec to our Network manager...  thought I'd pass along the exact email to see what MS is saying..

Quote

If anyone receives any e-mail from support@microsoft.com with attached files, delete it immediately. These are a mass-mailing e-mail worm. Our anti-virus software is recognizing the virus and taking care of the problem. It is best to just delete the e-mail. Here is some additional information from Microsoft: A new mass-mailing e-mail worm, which feigns a Microsoft.com origin,is spreading rapidly. Antivirus vendors say it can also spread via alocal area network and can install spyware on a victim's PC.  The Palyh, or Mankx, worm appears to come from support@microsoft.com,a forged address. It contains a file which, upon execution,self-propagates using e-mail addresses from files stored on thetargeted system, but which can also spread to other Windows machineson a local area network (LAN). Although the file has a .pi or .pifextension, it is an .exe file. And because Windows processes filesaccording to their internal structure than their extension, Windowsruns the file as soon as the person double-clicks on it.  Information on Bogus Microsoft Security Bulletin E-mail From time to time malicious individuals circulate e-mails that purportto be a Microsoft Security Bulletin or Patch. Some of the emailsdirect the reader to download an executable file from a web site-while others include an executable file which contains a virus.Customers who receive such an email should delete it, and under nocircumstances should they download or run the executable. For more information see:http://www.microsoft.../patch_hoax.asp-John John BuscherServer MVP LeadMicrosoft Communities GroupMCSA, MCSE


#11 OFFLINE   LilBambi

LilBambi

    Australisches Googler

  • Forum Admins
  • 22,548 posts

Posted 20 May 2003 - 01:41 PM

Thanks for posting that Ryan. Good info.At Symantec, they are linking this particular viral threat to the W32.Sobig.B@mm page.On the Symantec page it shows all the different names this one is going by at the different AV program's sites. I thought it would be good to know since we all use one of many different programs out there.

Quote

W32.Sobig.B@mmAlso Known As: W32.HLLW.Mankx@mm, W32/Palyh@MM [McAfee], W32/Palyh-A [Sophos], I-Worm.Palyh [KAV], WORM_PALYH.A [Trend], Win32.Palyh.A [CA]
The naming convention is often a bit strange, but if you read the definition of this viral threat, it really does appear to just be a variation on the W32.Sobig.B@mm
Bambi
AKA Fran

Posted Image
My Public Key for Email :: BambisMusings Blog :: Fran's Computer Services Blog :: MyPassionIsBooks Blog :: 5BuckReview :: CNIRadio
"The Net interprets censorship as damage and routes around it." ~John Gilmore (Time Magazine, Dec 6, 1993)

#12 OFFLINE   Prelude76

Prelude76

    Multithreader

  • Members
  • PipPipPipPipPipPipPipPip
  • 1,453 posts

Posted 20 May 2003 - 02:47 PM

Systems Not Affected: Macintosh, OS/2, UNIX, Linuxwoooh, gonna boot into Linux tonite and ride out the storm  :angry:

#13 OFFLINE   Peachy

Peachy

    Anarquista De Sartorial

  • Forum Moderators
  • 5,448 posts

Posted 20 May 2003 - 05:09 PM

This bears repeating: Microsoft DOES NOT (never has, never will) send out email warnings of security flaws or vulnerabilities nor warnings of virii. When you see those messages they are mass mailing worms.

'freedom...is actually the reason that men live together in political organisations at all. Without it, political life as such would be meaningless. The raison d'Être of politics is freedom, and its field of experience is action'.
My Flickr Photo Blog Posted Image
del.icio.us bookmarks Posted Image


#14 OFFLINE   GolfProRM

GolfProRM

    Mr. Incredible

  • Forum MVP
  • 2,910 posts

Posted 20 May 2003 - 05:13 PM

Peachy, on May 20 2003, 04:09 PM, said:

This bears repeating: Microsoft DOES NOT (never has, never will) send out email warnings of security flaws or vulnerabilities nor warnings of virii. When you see those messages they are mass mailing worms.
Peachy... for the most part, I agree with you, with this exception...  I personally know the guy that sent out that email to our company...  He's been working with our company dealing with getting new customers converted to Win2k3 server as well as some other things...  This isn't just some random email from MS, this is an email from someone I know that works for MS...

#15 OFFLINE   LilBambi

LilBambi

    Australisches Googler

  • Forum Admins
  • 22,548 posts

Posted 20 May 2003 - 05:23 PM

Also, if you do happen to get this worm, Symantec does offer a free removal tool at the following site:W32.Sobig.B@mmJust click on the link for the free removal tool listed on the page.
Bambi
AKA Fran

Posted Image
My Public Key for Email :: BambisMusings Blog :: Fran's Computer Services Blog :: MyPassionIsBooks Blog :: 5BuckReview :: CNIRadio
"The Net interprets censorship as damage and routes around it." ~John Gilmore (Time Magazine, Dec 6, 1993)

#16 OFFLINE   jbredmound

jbredmound

    Thread Head

  • Members
  • PipPipPipPipPipPip
  • 600 posts

Posted 20 May 2003 - 08:04 PM

I think this is an update.I haven't gotten anything, but then I am with a relatively small ISP, so maybe that reduces my targetness (You know, like "Yes, your targetness" and "No, your targetness".Worm,worm, everywhere a worm....

#17 OFFLINE   georgeg4

georgeg4

    Forum Fiend

  • Members
  • PipPipPipPipPipPipPipPipPip
  • 1,751 posts

Posted 27 May 2003 - 08:36 PM

There is a new virus circulating in case you have not heard of it it is from support at microsoft And according to a support tech I talked to it started at MicroSoft two weeks ago . It is called I-worm/palyh.a and it will only last two days if you open it
Posted Image

MY FORUM  George's Message Board

Ubuntu 11.04 in laptop and 12.04 in desktop , Firefox 14.01

Even scholars use pencils with erasers

#18 OFFLINE   zox

zox

    Multithreader

  • Forum MVP
  • 1,234 posts

Posted 27 May 2003 - 09:02 PM

I've got it yesterday and came with attachment "approved.pif" that contained virus.Even though ii said it is from "support@microsoft" I don't believe it is really from them :)It infected my Inbox in Foxmail and F-prot caught it but just couldn't get rid of it.I finally booted in safe mode and deleted inbox.Scanned after and it looks like that got rid of it B) Nasty thing B)

#19 OFFLINE   greengeek

greengeek

    Forum Fiend

  • Members
  • PipPipPipPipPipPipPipPipPip
  • 1,864 posts

Posted 27 May 2003 - 09:31 PM

:rolleyes: I don't open anything from MS.

#20 OFFLINE   georgeg4

georgeg4

    Forum Fiend

  • Members
  • PipPipPipPipPipPipPipPipPip
  • 1,751 posts

Posted 27 May 2003 - 10:39 PM

My AVG6 removed it with no problems
Posted Image

MY FORUM  George's Message Board

Ubuntu 11.04 in laptop and 12.04 in desktop , Firefox 14.01

Even scholars use pencils with erasers

#21 OFFLINE   Hawkfan

Hawkfan

    Message Adept

  • Members
  • PipPipPip
  • 49 posts

Posted 27 May 2003 - 10:44 PM

zox, on May 27 2003, 08:02 PM, said:

I've got it yesterday and came with attachment "approved.pif" that contained virus.Even though ii said it is from "support@microsoft" I don't believe it is really from them :rolleyes:
If you still had the email you could take a good look through the message headers and you would probably find the location from where it was sent.

#22 OFFLINE   LilBambi

LilBambi

    Australisches Googler

  • Forum Admins
  • 22,548 posts

Posted 27 May 2003 - 11:34 PM

georgeg4 --Yes, this one may not be long lasting, but it is a pain in the keester. Seems it is still causing problems for folks.  It has many different attachments but it always says it is from microsoft.com ... which it is not. Virus writers trying to be humerous, I guess :rolleyes:* merged with existing thread on this subject to keep it all together.
Bambi
AKA Fran

Posted Image
My Public Key for Email :: BambisMusings Blog :: Fran's Computer Services Blog :: MyPassionIsBooks Blog :: 5BuckReview :: CNIRadio
"The Net interprets censorship as damage and routes around it." ~John Gilmore (Time Magazine, Dec 6, 1993)

#23 OFFLINE   mac

mac

    Topic Cop

  • Members
  • PipPipPipPipPipPipPip
  • 779 posts

Posted 28 May 2003 - 10:24 AM

Quote

This bears repeating: Microsoft DOES NOT (never has, never will) send out email warnings of security flaws or vulnerabilities nor warnings of virii. When you see those messages they are mass mailing worms.
Microsoft does have a service where they will send you bulletins about security/vulnerability flaws:MS security bulletin sign-up page I last received one on 5/9/03. However, they do not attach the update/security patch to the email. You have to go to the website referenced in the email or to the Windows Update site to D/L the update/patch.

Quote

I just wish Microsoft would add the ability to have a button to toggle on/off for the attachment feature and the plain text feature right from the button bar. (Hmmm, wonder if Microsoft has a wishlist email address? LOL!)
Actually, if you check out the MS newsgroups - news.microsoft.com, there are a couple of active groups where people can post suggestions: microsoft.public.isa.wishlist and microsoft.public.windows.inetexplorer.ie6.outlookexpress.wishlist.Mac
Mac
"Long ago, when men cursed and beat the ground with sticks,
it was called witchcraft. Today it's called golf." -- Will Rogers (1879-1935)

#24 OFFLINE   Cluttermagnet

Cluttermagnet

    Nocturnal Radio Geek

  • Forum MVP
  • 3,869 posts

Posted 28 May 2003 - 01:13 PM

LilBambi, on May 19 2003, 10:47 AM, said:

Well, before I even got word about this one this morning, I had already received an email claiming it was --From: microsoft.comSubject line: Approved (Ref: 38446-263) No attachment although it referenced one. My ISP removes known viruses before sending emails on to me, so I am sure that is why there was no attachment.I deleted it with no ill effect   (snip)
Thanks, LilBambi-Thinking back as I read this thread, I remembered I did spot an email from microsoft.com on my ISP server maybe 2-3 days ago. I don't seem to recall any references to attachments (or not). I think the subject of mine was either Approved (Ref: 38446-263) or Re: Approved (Ref: 3394-65467)- probably without the "Re:". It was an obvious 'delete without downloading/reading', let alone clicking open any attachments. Besides, I knew it had to be bogus as I have had no recent dealings with microsoft that would have triggered an email on this or any other subject. I'm thinking of a newbie friend who bought a big, well-loaded Dell box, and hoping that he will not get suckered. I doubt that is going to be the case, as I began leaning very hard on him about security the first time we started talking about his new computer. In fact, he really got into it, doing the 'let's report hacker probes' networking crowd thing, etc. I think he is already worldly wise about all the traps and snares, including 'drive by' software downloads to folks using IE as he does.   B)

#25 OFFLINE   Jeber

Jeber

    Still Version 1.0 beta

  • Forum Moderators
  • 4,637 posts

Posted 28 May 2003 - 01:16 PM

Notice to all...I pinned this topic and will leave it pinned for a while, at least until the danger has passed.  This topic has gotten a lot of views and was mentioned in the newsletter, so a lot more people will no doubt want to read it.  Please keep posting updates and further info.  Good work all, especially LilBambi and Georgeg4, who brought this to our attention before most other newsletters were even aware of the worm.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users