The latest buzz on the worm wire is Palyh, a.k.a. Mankx, a.k.a. Sobig.B. It does very little that hasn't been done by dozens of other Windows mass-mail
The latest buzz on the worm wire is Palyh, a.k.a. Mankx, a.k.a. Sobig.B
. It does very little that hasnt been done by dozens of other Windows mass-mailer worms (it also spreads to network shares, if available), but it did spread very rapidly. I received a couple copies of it myself in e-mail before the new virus definitions came out. The payload for this worm is an executable attachment that you have to launch, and Outlook has stripped these for years.
Heres what you need to know: This worm comes in a message with a From: address of firstname.lastname@example.org. In case you didnt know, its easy to spoof the from: address, and like everything else you read, you should be skeptical of it. The message has one of nine innocuous sounding subject lines (so far Ive received "Re: Approved (Ref: 3394-65467)", "Re: My details", "Your details", and "Re: Movie"). The body of the message is "All information is in the attached file." The attachment has a .PIF extension which is an executable. If you do get infected, the program attempts to spread itself and to download files from a series of Geocities web pages.
Its easy for me to say that you shouldnt just trust attachments, even from addresses you trust, but thats basically the case.
In case you do get infected, you can find manual removal instructions on Symantecs Sobig.B page