Guest LilBambi Posted May 19, 2003 Share Posted May 19, 2003 Well, before I even got word about this one this morning, I had already received an email claiming it was --From: microsoft.comSubject line: Approved (Ref: 38446-263) No attachment although it referenced one. My ISP removes known viruses before sending emails on to me, so I am sure that is why there was no attachment.I deleted it with no ill effect but as you will see from the following Symantec article, it was discovered the 18th and it is what Symantec classes as a Category 3 already!w32.hllw.mankx@mm.htmlIt almost looks like the Virus writer was testing the waters with this one. No really damaging payload to be speaking about (except the fact that it IS a MASS MAILING WORM with its own SMTP server built in) and it 'expires' at the end of this month. But boy, if that was what they were doing, I think they have proven they could do some real damage if they wanted to. Quote Link to comment Share on other sites More sharing options...
nlinecomputers Posted May 19, 2003 Share Posted May 19, 2003 Hi everyone.Better update your virus scanners. I just got sent a copy of Worm.Palyh.A in email. This is a brand new virus only 18 hours old. I got an update THIS MORNING from AVG and got sent the infected file 3 hours later. Somebody that has my email address in its address book is infected and it came from a rr.com email address. So all you guys using Road Runner ISP had best check your systems.Tech details on the virus can be had here:http://www.trendmicro.com/vinfo/virusencyc...me=WORM_PALYH.A Quote Link to comment Share on other sites More sharing options...
Borst Posted May 19, 2003 Share Posted May 19, 2003 Thanks for the heads up! Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted May 19, 2003 Share Posted May 19, 2003 UPDATE:This one has apparently been identified as the SoBig Worm now!W32.sobig.b@mm Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted May 19, 2003 Share Posted May 19, 2003 nlinecomputers --I combined our two threads ... same thing different names. Liked your Topic Title better but modified the description somewhat. Quote Link to comment Share on other sites More sharing options...
nlinecomputers Posted May 19, 2003 Share Posted May 19, 2003 Fran,No problem. Great minds think alike! 15 infected messages so far.This is no drill. Man your battle stations! Ooouga! Ooouga! Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted May 20, 2003 Share Posted May 20, 2003 Fran,No problem. Great minds think alike! 15 infected messages so far.This is no drill. Man your battle stations! Ooouga! Ooouga!LOL! Wow! I haven't received any more personally. But I am sure I will hear from some clients over this one. Quote Link to comment Share on other sites More sharing options...
GolfProRM Posted May 20, 2003 Share Posted May 20, 2003 Got one earlier this afternoon... Glad I've got this forum to keep me informed!! Better to not have to even deal with this virus than have to deal with getting rid of it! Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted May 20, 2003 Share Posted May 20, 2003 Yes, this worm has definitely been upgraded quickly. Hope it doesn't get any worse!Because it is so versatile of a worm, it can hit many people (in Windows that is), very quickly.I have enabled read messages in plain text only in Outlook Express. I also turn the attachment feature on/off as needed, and disable the Preview Pane entirely.Those three things alone make using Lookout Express, (oops, little slip there...), I mean, Outlook Express much safer to use. And since it really is such a great little program overall, adding these safety features (which are built in to OE 6.x, BTW), certainly makes the overall experience much safer.Plus I use the message source to help me decide if I want to even open a message in the first place. ;)I just wish Microsoft would add the ability to have a button to toggle on/off for the attachment feature and the plain text feature right from the button bar. (Hmmm, wonder if Microsoft has a wishlist email address? LOL!) Quote Link to comment Share on other sites More sharing options...
GolfProRM Posted May 20, 2003 Share Posted May 20, 2003 We just an email warning at work sent from a Microsoft exec to our Network manager... thought I'd pass along the exact email to see what MS is saying.. If anyone receives any e-mail from support@microsoft.com with attached files, delete it immediately. These are a mass-mailing e-mail worm. Our anti-virus software is recognizing the virus and taking care of the problem. It is best to just delete the e-mail. Here is some additional information from Microsoft: A new mass-mailing e-mail worm, which feigns a Microsoft.com origin,is spreading rapidly. Antivirus vendors say it can also spread via alocal area network and can install spyware on a victim's PC. The Palyh, or Mankx, worm appears to come from support@microsoft.com,a forged address. It contains a file which, upon execution,self-propagates using e-mail addresses from files stored on thetargeted system, but which can also spread to other Windows machineson a local area network (LAN). Although the file has a .pi or .pifextension, it is an .exe file. And because Windows processes filesaccording to their internal structure than their extension, Windowsruns the file as soon as the person double-clicks on it. Information on Bogus Microsoft Security Bulletin E-mail From time to time malicious individuals circulate e-mails that purportto be a Microsoft Security Bulletin or Patch. Some of the emailsdirect the reader to download an executable file from a web site-while others include an executable file which contains a virus.Customers who receive such an email should delete it, and under nocircumstances should they download or run the executable. For more information see:http://www.microsoft.com/technet/treeview/.../patch_hoax.asp-John John BuscherServer MVP LeadMicrosoft Communities GroupMCSA, MCSE Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted May 20, 2003 Share Posted May 20, 2003 Thanks for posting that Ryan. Good info.At Symantec, they are linking this particular viral threat to the W32.Sobig.B@mm page.On the Symantec page it shows all the different names this one is going by at the different AV program's sites. I thought it would be good to know since we all use one of many different programs out there. W32.Sobig.B@mmAlso Known As: W32.HLLW.Mankx@mm, W32/Palyh@MM [McAfee], W32/Palyh-A [sophos], I-Worm.Palyh [KAV], WORM_PALYH.A [Trend], Win32.Palyh.A [CA]The naming convention is often a bit strange, but if you read the definition of this viral threat, it really does appear to just be a variation on the W32.Sobig.B@mm Quote Link to comment Share on other sites More sharing options...
Prelude76 Posted May 20, 2003 Share Posted May 20, 2003 Systems Not Affected: Macintosh, OS/2, UNIX, Linuxwoooh, gonna boot into Linux tonite and ride out the storm Quote Link to comment Share on other sites More sharing options...
Peachy Posted May 20, 2003 Share Posted May 20, 2003 This bears repeating: Microsoft DOES NOT (never has, never will) send out email warnings of security flaws or vulnerabilities nor warnings of virii. When you see those messages they are mass mailing worms. Quote Link to comment Share on other sites More sharing options...
GolfProRM Posted May 20, 2003 Share Posted May 20, 2003 This bears repeating: Microsoft DOES NOT (never has, never will) send out email warnings of security flaws or vulnerabilities nor warnings of virii. When you see those messages they are mass mailing worms.Peachy... for the most part, I agree with you, with this exception... I personally know the guy that sent out that email to our company... He's been working with our company dealing with getting new customers converted to Win2k3 server as well as some other things... This isn't just some random email from MS, this is an email from someone I know that works for MS... Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted May 20, 2003 Share Posted May 20, 2003 Also, if you do happen to get this worm, Symantec does offer a free removal tool at the following site:W32.Sobig.B@mmJust click on the link for the free removal tool listed on the page. Quote Link to comment Share on other sites More sharing options...
jbredmound Posted May 21, 2003 Share Posted May 21, 2003 I think this is an update.I haven't gotten anything, but then I am with a relatively small ISP, so maybe that reduces my targetness (You know, like "Yes, your targetness" and "No, your targetness".Worm,worm, everywhere a worm.... Quote Link to comment Share on other sites More sharing options...
georgeg4 Posted May 28, 2003 Share Posted May 28, 2003 There is a new virus circulating in case you have not heard of it it is from support at microsoft And according to a support tech I talked to it started at MicroSoft two weeks ago . It is called I-worm/palyh.a and it will only last two days if you open it Quote Link to comment Share on other sites More sharing options...
zox Posted May 28, 2003 Share Posted May 28, 2003 I've got it yesterday and came with attachment "approved.pif" that contained virus.Even though ii said it is from "support@microsoft" I don't believe it is really from them :)It infected my Inbox in Foxmail and F-prot caught it but just couldn't get rid of it.I finally booted in safe mode and deleted inbox.Scanned after and it looks like that got rid of it Nasty thing Quote Link to comment Share on other sites More sharing options...
greengeek Posted May 28, 2003 Share Posted May 28, 2003 I don't open anything from MS. Quote Link to comment Share on other sites More sharing options...
georgeg4 Posted May 28, 2003 Share Posted May 28, 2003 My AVG6 removed it with no problems Quote Link to comment Share on other sites More sharing options...
Hawkfan Posted May 28, 2003 Share Posted May 28, 2003 I've got it yesterday and came with attachment "approved.pif" that contained virus.Even though ii said it is from "support@microsoft" I don't believe it is really from them If you still had the email you could take a good look through the message headers and you would probably find the location from where it was sent. Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted May 28, 2003 Share Posted May 28, 2003 georgeg4 --Yes, this one may not be long lasting, but it is a pain in the keester. Seems it is still causing problems for folks. It has many different attachments but it always says it is from microsoft.com ... which it is not. Virus writers trying to be humerous, I guess * merged with existing thread on this subject to keep it all together. Quote Link to comment Share on other sites More sharing options...
mac Posted May 28, 2003 Share Posted May 28, 2003 This bears repeating: Microsoft DOES NOT (never has, never will) send out email warnings of security flaws or vulnerabilities nor warnings of virii. When you see those messages they are mass mailing worms.Microsoft does have a service where they will send you bulletins about security/vulnerability flaws:MS security bulletin sign-up page I last received one on 5/9/03. However, they do not attach the update/security patch to the email. You have to go to the website referenced in the email or to the Windows Update site to D/L the update/patch.I just wish Microsoft would add the ability to have a button to toggle on/off for the attachment feature and the plain text feature right from the button bar. (Hmmm, wonder if Microsoft has a wishlist email address? LOL!)Actually, if you check out the MS newsgroups - news.microsoft.com, there are a couple of active groups where people can post suggestions: microsoft.public.isa.wishlist and microsoft.public.windows.inetexplorer.ie6.outlookexpress.wishlist.Mac Quote Link to comment Share on other sites More sharing options...
Cluttermagnet Posted May 28, 2003 Share Posted May 28, 2003 Well, before I even got word about this one this morning, I had already received an email claiming it was --From: microsoft.comSubject line: Approved (Ref: 38446-263) No attachment although it referenced one. My ISP removes known viruses before sending emails on to me, so I am sure that is why there was no attachment.I deleted it with no ill effect (snip)Thanks, LilBambi-Thinking back as I read this thread, I remembered I did spot an email from microsoft.com on my ISP server maybe 2-3 days ago. I don't seem to recall any references to attachments (or not). I think the subject of mine was either Approved (Ref: 38446-263) or Re: Approved (Ref: 3394-65467)- probably without the "Re:". It was an obvious 'delete without downloading/reading', let alone clicking open any attachments. Besides, I knew it had to be bogus as I have had no recent dealings with microsoft that would have triggered an email on this or any other subject. I'm thinking of a newbie friend who bought a big, well-loaded Dell box, and hoping that he will not get suckered. I doubt that is going to be the case, as I began leaning very hard on him about security the first time we started talking about his new computer. In fact, he really got into it, doing the 'let's report hacker probes' networking crowd thing, etc. I think he is already worldly wise about all the traps and snares, including 'drive by' software downloads to folks using IE as he does. Quote Link to comment Share on other sites More sharing options...
Jeber Posted May 28, 2003 Share Posted May 28, 2003 Notice to all...I pinned this topic and will leave it pinned for a while, at least until the danger has passed. This topic has gotten a lot of views and was mentioned in the newsletter, so a lot more people will no doubt want to read it. Please keep posting updates and further info. Good work all, especially LilBambi and Georgeg4, who brought this to our attention before most other newsletters were even aware of the worm. Quote Link to comment Share on other sites More sharing options...
zox Posted May 28, 2003 Share Posted May 28, 2003 (edited) I've got it again today (the virus), this time F-prot got rid of it without hickup.Another in the afternoon, what is it getting worse?? Edited May 28, 2003 by zox Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted May 29, 2003 Share Posted May 29, 2003 Thanks Jack ... that was a great idea to 'pin' oh, I mean, 'sticky' this one LOL! This one comes in many varieties and folks need to be aware. Especially since I don't think this is the last of this one even when it expires.I still really think they were testing the waters ..... and the waters were pretty darn nice, unfortunately I think we will need to be on our toes with this one ... I would expect the next variation to carry a heftier payload Quote Link to comment Share on other sites More sharing options...
Cluttermagnet Posted May 30, 2003 Share Posted May 30, 2003 I found another copy of this one on my ISP server tonight. This makes 2 in about the last 3-4 days. Deleted on the server with Mailwasher. It had the ususal microsoft.com forged address and I think the subject line this time was either "Re: My details" or perhaps "Your details". Whatever. So this one rages on. Quote Link to comment Share on other sites More sharing options...
Cluttermagnet Posted June 3, 2003 Share Posted June 3, 2003 I just viewed on my ISP server what looks like a new variant of the recent 'microsoft' virus email. I say new because the size has increased over the past specimens (122.8K vs. about 60K+ before). Also the address line and the subject are both 'new': from "wmcfeed@microsoft.com", subject "a very good tool". Deleted on the server. Quote Link to comment Share on other sites More sharing options...
GolfProRM Posted June 3, 2003 Share Posted June 3, 2003 Yup... IT'S BACK!!! http://apnews.myway.com//article/20030602/.../D7RDRRM00.htmlSeems to be a bit nastier this time... Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.