Virus masquerades as Microsoft mail

20 May 2003

A new virus currently doing the rounds is faking its origins by purporting to be from Microsoft tech support. Several Irish users have already reported receiving the mail.

The worm, known as W32/Palyh-A, pretends to come from and contains the message text ‘All information is in the attached file’. The attachment consists of a program with a .pif extension. If a user opens the attachment then they will infect themselves immediately. W32/Palyh-A copies itself to the Windows folder, gathers the email addresses it finds on the user’s hard disk, and then starts sending itself out by email.
“Many users who are wary of .exe and .vbs files which arrive in their email may not realise that .pif files are equally capable of being malicious,” said Graham Cluley, senior technology consultant for Sophos Anti-Virus. “Microsoft technical support does not send out files in this way, and users should think twice before they click.”

It has also come to light that the new virus has a built-in self destruct mechanism, which means it will no longer be active after the end of the month. If the date is 31 May 2003 or later, the worm is configured to ignore the code that tells it to send itself to the email addresses found on the user’s hard drive. It will also ignore the section of the code that tells it to search for attached network devices to infect.

By Dick O’Brien