Microsoft Outlook May Be Affected by W32/Palyh@MM Mass-Mailing Worm
|
|
SecurityTracker Alert ID: 1006807 |
|
SecurityTracker URL: http://securitytracker.com/id/1006807
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: May 21 2003
|
Impact:
Execution of arbitrary code via network, Modification of system information, Modification of user information
|
Vendor Confirmed: Yes Exploit Included: Yes
|
|
Description:
Microsoft's PSS Security Response Team issued an Alert regarding a new mass-mailing worm (W32/Palyh@MM). According to the report, Microsoft Outlook is affected [Outlook Express is also affected].
[Editor's note: This is not a vulnerability alert. However, we are issuing an alert because Microsoft has chosen to warn their customers of this.]
The W32/Palyh@MM worm is reported to be a mass-mailing worm that spreads via e-mail and network shares. The worm uses a "from" address of 'support@microsoft.com' but does not actually originate from that address. Instead, it originates from an infected platform.
The worm contains a '.pif' attachment, which may be given a file name so that it appears to be a different type of attachment. When the target user opens the file, the malicious code will execute with the privileges of the target user. On an unprotected system, this will prompt the target user's system to mail the worm out to other e-mail addresses. The worm will mail to addresses found in certain files on the target user's computer.
According to Network Associates, the worm is implemented to cease propagation (but not infection) on and after May 31, 2003.
More information is available from Network Associates at:
http://vil.nai.com/vil/content/v_100307.htm
Microsoft has assigned a "moderate" severity rating to this alert.
|
Impact:
If a target user executes a malicious attachment, the worm's malicious code may be executed. See the Description Section for a list of potential impacts.
|
Solution:
Microsoft reports that Outlook 2000 post SP2 and Outlook XP SP1 include features to block potentially harmful attachment types. These versions will reportedly block the attachment by default. You can check to see if you are running the latest version by loading the following URL:
http://office.microsoft.com/ProductUpdates/default.aspx
Microsoft also reports that Outlook 2000 pre-SR1 and Outlook 98 do not block potentially malicious attachments by default, but you can get the Outlook E-mail Security Update to add this feature. See the following URL for more information:
http://office.microsoft.com/Downloads/2000/Out2ksec.aspx
A list of attachment types that can be blocked by Outlook are available at:
http://support.microsoft.com?kbid=290497
See the Microsoft PSS Alert for instructions on how to prevent or mitigate the effects of this type of worm:
http://www.microsoft.com/technet/security/virus/alerts/palyh.asp
Microsoft plans to issue the following Knowledge Base article regarding this worm, to be available shortly at:
http://support.microsoft.com/?kbid=821454
|
Vendor URL: www.microsoft.com/technet/security/virus/alerts/palyh.asp (Links to External Site)
|
Cause:
State error
|
Underlying OS: Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Subject: Microsoft W32/Palyh@MM Worm Alert
|
http://www.microsoft.com/technet/security/virus/alerts/palyh.asp
Microsoft's PSS Security Response Team issued an Alert regarding a new worm (W32/Palyh@MM)
that may affect Microsoft Outlook, Microsoft Outlook Express, and Web-based e-mail systems.
Microsoft has assigned a "moderate" severity rating to this alert.
"W32/Palyh@MM is a worm that spreads via e-mail and network shares. The Microsoft Product
Support Services Security Team is issuing this alert to advise customers to be on the
alert for this virus as it spreads in the wild. Customers are advised to review the
information and take the appropriate action for their environments."
The W32/Palyh@MM worm is reported to be a mass-mailing worm that spreads via e-mail and
network shares. The worm uses a "from" address of 'support@microsoft.com' but does not
actually originate from that address.
The worm contains a '.pif' attachment, which may be given a file name so that it appears
to be a different type of attachment.
See the Microsoft PSS Alert (at the URL listed above) for instructions on how to prevent
this type of worm.
Microsoft plans to issue the following Knowledge Base article regarding this worm, to be
available shortly at:
http://support.microsoft.com/?kbid=821454
|
|
