Jump to content
Sign in to follow this  
LilBambi

Virus Warning

Recommended Posts

Well, before I even got word about this one this morning, I had already received an email claiming it was --From: microsoft.comSubject line: Approved (Ref: 38446-263) No attachment although it referenced one. My ISP removes known viruses before sending emails on to me, so I am sure that is why there was no attachment.I deleted it with no ill effect but as you will see from the following Symantec article, it was discovered the 18th and it is what Symantec classes as a Category 3 already!w32.hllw.mankx@mm.htmlIt almost looks like the Virus writer was testing the waters with this one. No really damaging payload to be speaking about (except the fact that it IS a MASS MAILING WORM with its own SMTP server built in) and it 'expires' at the end of this month. But boy, if that was what they were doing, I think they have proven they could do some real damage if they wanted to. :D

Share this post


Link to post
Share on other sites

Hi everyone.Better update your virus scanners. I just got sent a copy of Worm.Palyh.A in email. This is a brand new virus only 18 hours old. I got an update THIS MORNING from AVG and got sent the infected file 3 hours later. Somebody that has my email address in its address book is infected and it came from a rr.com email address. So all you guys using Road Runner ISP had best check your systems.Tech details on the virus can be had here:http://www.trendmicro.com/vinfo/virusencyc...me=WORM_PALYH.A

Share this post


Link to post
Share on other sites

nlinecomputers --I combined our two threads ... same thing different names. Liked your Topic Title better but modified the description somewhat. ;)

Share this post


Link to post
Share on other sites

Fran,No problem. Great minds think alike! 15 infected messages so far.This is no drill. Man your battle stations! Ooouga! Ooouga!

Share this post


Link to post
Share on other sites
Fran,No problem.  Great minds think alike!  15 infected messages so far.This is no drill.  Man your battle stations!  Ooouga! Ooouga!
LOL! :o Wow! I haven't received any more personally. But I am sure I will hear from some clients over this one.

Share this post


Link to post
Share on other sites

Got one earlier this afternoon... Glad I've got this forum to keep me informed!! Better to not have to even deal with this virus than have to deal with getting rid of it! :o

Share this post


Link to post
Share on other sites

Yes, this worm has definitely been upgraded quickly. Hope it doesn't get any worse!Because it is so versatile of a worm, it can hit many people (in Windows that is), very quickly.I have enabled read messages in plain text only in Outlook Express. I also turn the attachment feature on/off as needed, and disable the Preview Pane entirely.Those three things alone make using Lookout Express, (oops, little slip there...), I mean, Outlook Express much safer to use. And since it really is such a great little program overall, adding these safety features (which are built in to OE 6.x, BTW), certainly makes the overall experience much safer.Plus I use the message source to help me decide if I want to even open a message in the first place. ;)I just wish Microsoft would add the ability to have a button to toggle on/off for the attachment feature and the plain text feature right from the button bar. (Hmmm, wonder if Microsoft has a wishlist email address? LOL!)

Share this post


Link to post
Share on other sites

We just an email warning at work sent from a Microsoft exec to our Network manager... thought I'd pass along the exact email to see what MS is saying..

If anyone receives any e-mail from support@microsoft.com with attached files, delete it immediately. These are a mass-mailing e-mail worm. Our anti-virus software is recognizing the virus and taking care of the problem. It is best to just delete the e-mail. Here is some additional information from Microsoft: A new mass-mailing e-mail worm, which feigns a Microsoft.com origin,is spreading rapidly. Antivirus vendors say it can also spread via alocal area network and can install spyware on a victim's PC. The Palyh, or Mankx, worm appears to come from support@microsoft.com,a forged address. It contains a file which, upon execution,self-propagates using e-mail addresses from files stored on thetargeted system, but which can also spread to other Windows machineson a local area network (LAN). Although the file has a .pi or .pifextension, it is an .exe file. And because Windows processes filesaccording to their internal structure than their extension, Windowsruns the file as soon as the person double-clicks on it. Information on Bogus Microsoft Security Bulletin E-mail From time to time malicious individuals circulate e-mails that purportto be a Microsoft Security Bulletin or Patch. Some of the emailsdirect the reader to download an executable file from a web site-while others include an executable file which contains a virus.Customers who receive such an email should delete it, and under nocircumstances should they download or run the executable. For more information see:http://www.microsoft.com/technet/treeview/.../patch_hoax.asp-John John BuscherServer MVP LeadMicrosoft Communities GroupMCSA, MCSE

Share this post


Link to post
Share on other sites

Thanks for posting that Ryan. Good info.At Symantec, they are linking this particular viral threat to the W32.Sobig.B@mm page.On the Symantec page it shows all the different names this one is going by at the different AV program's sites. I thought it would be good to know since we all use one of many different programs out there.

W32.Sobig.B@mmAlso Known As: W32.HLLW.Mankx@mm, W32/Palyh@MM [McAfee], W32/Palyh-A [sophos], I-Worm.Palyh [KAV], WORM_PALYH.A [Trend], Win32.Palyh.A [CA]
The naming convention is often a bit strange, but if you read the definition of this viral threat, it really does appear to just be a variation on the W32.Sobig.B@mm

Share this post


Link to post
Share on other sites

Systems Not Affected: Macintosh, OS/2, UNIX, Linuxwoooh, gonna boot into Linux tonite and ride out the storm :angry:

Share this post


Link to post
Share on other sites

This bears repeating: Microsoft DOES NOT (never has, never will) send out email warnings of security flaws or vulnerabilities nor warnings of virii. When you see those messages they are mass mailing worms.

Share this post


Link to post
Share on other sites
This bears repeating: Microsoft DOES NOT (never has, never will) send out email warnings of security flaws or vulnerabilities nor warnings of virii. When you see those messages they are mass mailing worms.
Peachy... for the most part, I agree with you, with this exception... I personally know the guy that sent out that email to our company... He's been working with our company dealing with getting new customers converted to Win2k3 server as well as some other things... This isn't just some random email from MS, this is an email from someone I know that works for MS...

Share this post


Link to post
Share on other sites

Also, if you do happen to get this worm, Symantec does offer a free removal tool at the following site:W32.Sobig.B@mmJust click on the link for the free removal tool listed on the page.

Share this post


Link to post
Share on other sites

I think this is an update.I haven't gotten anything, but then I am with a relatively small ISP, so maybe that reduces my targetness (You know, like "Yes, your targetness" and "No, your targetness".Worm,worm, everywhere a worm....

Share this post


Link to post
Share on other sites

There is a new virus circulating in case you have not heard of it it is from support at microsoft And according to a support tech I talked to it started at MicroSoft two weeks ago . It is called I-worm/palyh.a and it will only last two days if you open it

Share this post


Link to post
Share on other sites

I've got it yesterday and came with attachment "approved.pif" that contained virus.Even though ii said it is from "support@microsoft" I don't believe it is really from them :)It infected my Inbox in Foxmail and F-prot caught it but just couldn't get rid of it.I finally booted in safe mode and deleted inbox.Scanned after and it looks like that got rid of it B) Nasty thing B)

Share this post


Link to post
Share on other sites
I've got it yesterday and came with attachment "approved.pif" that contained virus.Even though ii said it is from "support@microsoft" I don't believe it is really from them :rolleyes:
If you still had the email you could take a good look through the message headers and you would probably find the location from where it was sent.

Share this post


Link to post
Share on other sites

georgeg4 --Yes, this one may not be long lasting, but it is a pain in the keester. Seems it is still causing problems for folks. It has many different attachments but it always says it is from microsoft.com ... which it is not. Virus writers trying to be humerous, I guess :rolleyes:* merged with existing thread on this subject to keep it all together.

Share this post


Link to post
Share on other sites
This bears repeating: Microsoft DOES NOT (never has, never will) send out email warnings of security flaws or vulnerabilities nor warnings of virii. When you see those messages they are mass mailing worms.
Microsoft does have a service where they will send you bulletins about security/vulnerability flaws:MS security bulletin sign-up page I last received one on 5/9/03. However, they do not attach the update/security patch to the email. You have to go to the website referenced in the email or to the Windows Update site to D/L the update/patch.
I just wish Microsoft would add the ability to have a button to toggle on/off for the attachment feature and the plain text feature right from the button bar. (Hmmm, wonder if Microsoft has a wishlist email address? LOL!)
Actually, if you check out the MS newsgroups - news.microsoft.com, there are a couple of active groups where people can post suggestions: microsoft.public.isa.wishlist and microsoft.public.windows.inetexplorer.ie6.outlookexpress.wishlist.Mac

Share this post


Link to post
Share on other sites
Well, before I even got word about this one this morning, I had already received an email claiming it was --From: microsoft.comSubject line: Approved (Ref: 38446-263) No attachment although it referenced one. My ISP removes known viruses before sending emails on to me, so I am sure that is why there was no attachment.I deleted it with no ill effect (snip)
Thanks, LilBambi-Thinking back as I read this thread, I remembered I did spot an email from microsoft.com on my ISP server maybe 2-3 days ago. I don't seem to recall any references to attachments (or not). I think the subject of mine was either Approved (Ref: 38446-263) or Re: Approved (Ref: 3394-65467)- probably without the "Re:". It was an obvious 'delete without downloading/reading', let alone clicking open any attachments. Besides, I knew it had to be bogus as I have had no recent dealings with microsoft that would have triggered an email on this or any other subject. I'm thinking of a newbie friend who bought a big, well-loaded Dell box, and hoping that he will not get suckered. I doubt that is going to be the case, as I began leaning very hard on him about security the first time we started talking about his new computer. In fact, he really got into it, doing the 'let's report hacker probes' networking crowd thing, etc. I think he is already worldly wise about all the traps and snares, including 'drive by' software downloads to folks using IE as he does. B)

Share this post


Link to post
Share on other sites

Notice to all...I pinned this topic and will leave it pinned for a while, at least until the danger has passed. This topic has gotten a lot of views and was mentioned in the newsletter, so a lot more people will no doubt want to read it. Please keep posting updates and further info. Good work all, especially LilBambi and Georgeg4, who brought this to our attention before most other newsletters were even aware of the worm.

Share this post


Link to post
Share on other sites

I've got it again today (the virus), this time F-prot got rid of it without hickup.Another in the afternoon, what is it getting worse?? B)

Edited by zox

Share this post


Link to post
Share on other sites

Thanks Jack ... that was a great idea to 'pin' oh, I mean, 'sticky' this one LOL! :) This one comes in many varieties and folks need to be aware. Especially since I don't think this is the last of this one even when it expires.I still really think they were testing the waters ..... and the waters were pretty darn nice, unfortunately :) I think we will need to be on our toes with this one ... I would expect the next variation to carry a heftier payload :)

Share this post


Link to post
Share on other sites

I found another copy of this one on my ISP server tonight. This makes 2 in about the last 3-4 days. Deleted on the server with Mailwasher. It had the ususal microsoft.com forged address and I think the subject line this time was either "Re: My details" or perhaps "Your details". Whatever. So this one rages on. :rolleyes:

Share this post


Link to post
Share on other sites

I just viewed on my ISP server what looks like a new variant of the recent 'microsoft' virus email. I say new because the size has increased over the past specimens (122.8K vs. about 60K+ before). Also the address line and the subject are both 'new': from "wmcfeed@microsoft.com", subject "a very good tool". Deleted on the server. :(

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×
×
  • Create New...