New virus poses as Microsoft e-mail

/ Source:

A new computer virus that masquerades as an e-mail from Microsoft Corp. technical support made its way around the globe on Monday, infecting computers in 89 countries. Antivirus firms issued several warnings about the Internet worm after it hit dozens of corporations. UK-based MessageLabs said it stopped some 51,000 copies of the program headed for clients. Still, a widespread outbreak was not expected.

“RE: MY APPLICATION. All information is in the attached file,” says one version of the new virus, dubbed Palyh.

There are a few other variations of the e-mail, but all claim to be from “” — and that’s half the reason the virus seems to have succeeded in spreading, said Steve Trilling, director of research at Symantec Corp.

“I would not be surprised if there are lots of people who think it’s from Microsoft,” he said. “From time to time we have to remind people, companies do not, unsolicited, send you e-mail like this.”

(MSNBC is a Microsoft - NBC joint venture.)

The other reason Palyh tricked so many users is its unlikely file extension — it’s a “PIF” file, which is unfamiliar to most computer users. PIF stands for program information file, a specialized file type only used in Windows.

But it acts just like an executable file: Any user who double-clicks on the attachment, which has a name like “approved.pif,” “movie28.pif,” or “application.pif” will be infected.

Vincent Gullotto, vice president for McAFee AVERT Labs at Network Associates, said about 100 consumers had received copies of the worm as of Monday morning, and his company still listed Palyh as a medium risk.

“A lot of the folks on our team here have gotten copies of it in their inboxes,” he said. “But like one of many viruses over the past 6 months, after an initial start up ... we expect it to fizzle out over next 72 hours or so.”

That’s about what happened with last week’s “Fizzer” virus, which infected thousands of people worldwide last Monday. While Fizzer is still spreading slowly, it never really threatened to become an outbreak on the scale of a Melissa or Lovebug virus.

Still, Palyh is certainly spreading, Trilling said, with 24 of Symantec’s corporate customers indicating they’d been hit by early Monday.

“Any one of those could correspond to thousands of computers inside the company,” Trilling said. “It definitely got our attention. ... Over the next couple of days we’ll have a good sense if this thing is picking up steam or not.”

While Palyh spread worldwide, almost three-quarters of the infected computers were in the United Kingdom, according to MessageLabs.

Internet users should update their antivirus software to protect against the worm. In the meantime, users should be skeptical of any unsolicited e-mail allegedly from Microsoft which arrives with one of the the following subject lines:

Your details

Approved (Ref: 38446-263)

Re: Approved (Ref: 3394-65467)

Your password

Re: My details


Cool screensaver

Re: Movie

Re: My application

The attached file can have one of the following names:










Only Windows users are at risk of infection.