A new mass mailing email worm is spreading on the internet, masking itself as a message from Microsoft's support team.
The new worm is known both as W32/Palyh and [email protected] and arrives as an executable attachment to email messages with a variety of subjects and messages. All emails containing the new virus purport to come from the same address: [email protected], according to alerts posted by a number of leading antivirus software vendors.
Subject lines for messages delivering the virus include 'Re: My application', 'Your password', and 'Approved (Ref: 38446-263)'. Attachment files containing the new virus have a PIF file extension and use names such as 'password.pif', 'doc_details.pif' and 'ref-394755.pif', according to antivirus firm F-Secure.
The virus can only be released when a user clicks on the attachment file, F-Secure said.
Once released, however, the virus code modifies the PC's Registry so that the worm program is launched whenever Windows is run. It also searches an infected computer for files containing email addresses that it can mail itself to.
The Microsoft Windows address book, as well as a variety of other files, are searched, according to an alert by McAfee Security.
A file, 'hnks.ini' is created to hold all emails that the worm locates and those addresses are targeted with messages from the infected machine that contain the worm, according to F-Secure.
The virus also looks for computers that are accessible through shared directories on a network and copies itself to those machines, F-Secure said.
Although the new worm preys upon machines running the Windows operating system, users do not need to have Microsoft's popular Outlook or Outlook Express email clients installed for the worm to spread itself. Code in the new virus enables it to send out its own email messages, according to an alert from Sophos.
Leading antivirus vendors advised their customers to update their antivirus packages to detect the new worm. Software makers also posted online directions for stopping the virus and removing it from infected machines.
In addition, affected users might consider contacting the addresses listed in the virus' hnks.ini file, warning them about the infection, F-Secure said.
Microsoft is a frequent target of virus writers, who often disguise viruses and other attacks as messages or bulletins from Microsoft tech support.
The company's official policy is that it does not distribute any software using email, preferring to use CDs or its website to dispense new software and software updates.
While the company does email customers, it does not send attachments and authenticates all messages with a digital signature.