The Palyh worm was showing some signs of running out of steam late Wednesday, as security vendors reported seeing fewer copies than they had earlier in the week.
At its peak on Monday, nearly one in every 200 e-mails contained a copy of Palyh, according to statistics compiled by MessageLabs Inc., an e-mail security vendor based in New York. The company stopped about 65,000 copies of the worm Monday, but that number dropped to around 55,000 Tuesday and fell even further to a little more than 30,000 so far Wenesday. And Palyh hasnt come close to approaching the level of activity of its immediate predecessor, Fizzer. MessageLabs reports seeing more than 402,000 copies of Fizzer thus far in May, compared to about 162,000 total copies of Palyh.
Palyhs behavior and appearance should hold no surprises for veteran computer users, experts said.
"Any e-mail arriving from an address like firstname.lastname@example.org containing an attachment should look like a huge billboard reading I am a virus to every computer user," said Ian Hameroff, security strategist at Computer Associates International Inc., in Islandia, N.Y. "We all need to be wary of anything that arrives unexpectingly and includes executable attachments because virus creators will continue to use social engineering tactics for as long as they work. This worm will have its greatest impact in the home computer space since most, if not all, enterprises employ a policy of blocking attachments types like .PIF."
Palyh shares many of the same characteristics of the Sobig virus that has been around for several months. It is written in the same language and packed with the same program as Sobig, according to an analysis by McAfee Security, a unit of Network Associates Inc., in Santa Clara, Calif. The e-mail borne worm arrives in an executable attachment to a message with a random subject line. The return address on the message is also randomized, with many copies of the worm appearing to come from email@example.com. The subject lines include:
Approved (Ref: 38446-263)
Re: Approved (Ref: 3394-65467)
Re: My details
Re: My application
The message body reads, "All information is in attached file."
Palyh apparently first hit the Internet on Saturday, with most of the activity in Asia at that point. It began spreading rapidly Sunday and continued to pick up momentum Monday morning. MessageLabs Inc., an e-mail security company based in New York, has seen more than 26,000 copies of the worm, with about 20,000 of those having shown up Monday.
Once executed on a target machine, Palyh copies itself to the registry and the startup routine and then begins looking for open network shares. Some security vendors say that it also attempts to connect to a remote Web site and may attempt to download some malicious code. This behavior is very similar to that of many of the recent network-aware worms, including last weeks star, Fizzer.
Palyh then begins extracting e-mail addresses from various locations on the infected machine and mails itself to every address it finds.
Most Recent Security Stories: