Fact Check

Palyh Virus

Information about the 'Palyh' worm.

Published May 19, 2003

Claim:

Virus name:   Palyh.


Status:   Real.

Example:   [Collected on the Internet, 2003]




DO NOT OPEN ANY EMAIL FROM SUPPORT@MICROSOFT.COM
IF YOU RECEIVE ONE, DELETE IT WITHOUT OPENING

A new computer worm that disguises itself as an e-mail from Microsoft Corp. is spreading, computer security firms warned on Monday. The e-mail containing the worm, dubbed Palyh or Mankx, appears to come from support@microsoft.com, but is not from the software company. When the attachment is opened, the worm copies itself to the Windows folder, scoops up e-mail addresses from the hard disk and starts sending itself out.



Origins:   Palyh (also known as Mankx) is a mass-mailing worm which hit the Internet in May 2003 and propagates by mailing itself to recipients extracted from e-mail addresses found on infected machines. It lures recipients into opening infected messages by sending itself out under a forged <support@microsoft.com> return address. The subjects of these infected messages can be any of the following:


  • Re: Approved (Ref: 3394-65467)

  • Re: Approved (Ref: 38446-263)

  • Cool screensaver

  • Re: Movie

  • I Re: My application v
  • Re: My details

  • Screensaver

  • Your details

  • Your password

The triggering attachment can be any of the following filenames:


  • _approved.pif

  • application.pif

  • approved.pif

  • doc_details.pif

  • download1053122425102485703.uue

  • movie28.pif

  • password.pif

  • ref-394755.pif

  • screen_doc.pif

  • screen_temp.pif

Palyh can be identified and removed from infected machines with virus protection software updated with the latest virus definition files.

Additional Information:




W32/Palyh@MM W32/Palyh@MM   (McAfee)

Last updated:   29 January 2008


David Mikkelson founded the site now known as snopes.com back in 1994.