Palyh is a massmailer e-mailer worm which also spreads through Windows network shares.
During late 18th of May / early 19th of May 2003, F-Secure received several submissions of this virus from USA, UK, Denmark and New Zealand.
The worm itself is Windows PE EXE file, written in Microsoft Visual C++, compressed by UPX. The size of the e-mail attachment varies between around 49000 and 54000 bytes. When uncompressed, the virus code is about 110kB in size.
The worm activates from infected emailS only if the user clicks on the infected attachment. After this the worm will install itself and starts to spread further.
While installing, the worm copies itself to the WINDOWS directory as "msccn32.exe". Then it registers itself in system registry to auto-run keys:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
System Tray = %WindowsDir%\msccn32.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
System Tray = %WindowsDir%\msccn32.exe
Because of a bug the worm sometimes copies itself to wrong directories (such as root or current directory). In these cases the worm will only stay active until next reboot.
During late 18th of May / early 19th of May 2003, F-Secure received several submissions of this virus from USA, UK, Denmark and New Zealand.
The worm itself is Windows PE EXE file, written in Microsoft Visual C++, compressed by UPX. The size of the e-mail attachment varies between around 49000 and 54000 bytes. When uncompressed, the virus code is about 110kB in size.
The worm activates from infected emailS only if the user clicks on the infected attachment. After this the worm will install itself and starts to spread further.
While installing, the worm copies itself to the WINDOWS directory as "msccn32.exe". Then it registers itself in system registry to auto-run keys:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
System Tray = %WindowsDir%\msccn32.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
System Tray = %WindowsDir%\msccn32.exe
Because of a bug the worm sometimes copies itself to wrong directories (such as root or current directory). In these cases the worm will only stay active until next reboot.
