Virus name:   Palyh.

Status:   Real.

Example:   [Collected on the Internet, 2003]

DO NOT OPEN ANY EMAIL FROM SUPPORT@MICROSOFT.COM IF YOU RECEIVE ONE, DELETE IT WITHOUT OPENING A new computer worm that disguises itself as an e-mail from Microsoft Corp. is spreading, computer security firms warned on Monday. The e-mail containing the worm, dubbed Palyh or Mankx, appears to come from support@microsoft.com, but is not from the software company. When the attachment is opened, the worm copies itself to the Windows folder, scoops up e-mail addresses from the hard disk and starts sending itself out.

Origins:   Palyh (also known as Mankx) is a mass-mailing worm which hit the Internet in May 2003 and propagates by mailing itself to recipients extracted from e-mail addresses found on infected machines. It lures recipients into opening infected messages by sending itself out under a forged <support@microsoft.com> return address. The subjects of these infected messages can be any of the following:

• Re: Approved (Ref: 3394-65467)
• Re: Approved (Ref: 38446-263)
• Cool screensaver
• Re: Movie
I Re: My application v
• Re: My details
• Screensaver
• Your details
• Your password

The triggering attachment can be any of the following filenames:

• _approved.pif
• application.pif
• approved.pif
• doc_details.pif
• download1053122425102485703.uue
• movie28.pif
• password.pif
• ref-394755.pif
• screen_doc.pif
• screen_temp.pif

Palyh can be identified and removed from infected machines with virus protection software updated with the latest virus definition files.

Additional Information:

W32/Palyh@MM   (McAfee)

Last updated:   29 January 2008

Urban Legends Reference Pages © 1995-2013 by Barbara and David P. Mikkelson.
This material may not be reproduced without permission.
snopes and the snopes.com logo are registered service marks of snopes.com.