A new worm, dubbed Palyh, has appeared which uses the email address support@microsoft.com. The highest priority warnings have been issued by major anti-virus companies, and users have been warned to check any messages from the email address as the worm has appeared using differing subject headers.
The worm is activated through an attachment, which causes the system to load a malicious file called "MSCCN32.EXE", a file created by the worm which is placed into the Windows directory of an infected machine. The virus also places a registry entry onto the system which causes the file to be launched at startup.
The worm then searches for files with extensions like txt, eml, html, htm, dbx, and wab – hoping to find email addresses to propagate itself. Once the scan is complete Palyh then uses the SMTP server to send out copies of the email to any addresses it finds. This is very similar to most worms in the way it works, but the use of the Microsoft email address could mean many users become duped into opening the message and attachment, you have been warned!
News source: Silicon.com
Download: Symantec Palyh worm removal tool
