Palyh Worm Problems Could Easily Have Been Avoided

Have you read the latest issue of our digital (IN)SECURE Magazine? If not, do it now.

One frequently ignored aspect of corporate antivirus protection is the built-in file filtering facilities that such protection normally includes, and which represents a fundamental feature in mail server antivirus solutions. Used in the right way, these systems can prevent the kind of major catastrophes that have all too often decimated information stored on networks.

The recent Palyh worm, which spreads via e-mail using its own SMTP engine, doesn’t just seek out addresses stored in the infected system’s address book, but also digs through .TXT, .EML, .HTM*, .DBX, and .WAB files looking for e-mail addresses. One of the reasons, in fact, behind Palyh’s rapid and widespread propagation.

The message containing the Palyh worm reaches computers in an attachment with a .PIF extension, and it is this file that actually carries out the infection. PIF (Program Information File) files establish special parameters for executing certain programs, such as special directories, environment variables etc. The danger however is that, as is the case with Playh, these files can conceal an additional threat. This is not a new technique and has in the past been used by more than one virus. Ever since the dangerous Badtrans or MTX virus used this strategy, concealing virus code in PIF files has been a highly effective ploy of virus authors.

Antiviruses can, as mentioned, be used to prevent these kinds of infections simply by filtering out certain file extensions in e-mail messages, or at least scanning them. Research carried out by Panda Software indicates that almost 20 percent of companies have not enabled scanning of potentially dangerous file types such as *.{*. This is actually a CLSID (or Class ID) extension. These codes, stored in the Windows registry, can be used to register new system components, ActiveX controls, etc. The danger is clear, as registering a new object on the system without security checks represents a grave risk.

Given this situation, a rigid filtering policy should be established so that not just traditionally dangerous file types (.EXE, .COM, .VBS, etc.) are scanned, but also those that are run by programs in which vulnerabilities have been detected.

To help with this task, Panda Software offers network administrators the ‘Content Filtering’ guide which includes details of all items that could pose a threat to networks and how they can be filtered out.

A second factor that has made Palyh particularly dangerous, is its use of ‘social-engineering’. Users who have received the message bearing the virus, have trustingly opened the attached file believing that it was from “”. For some time now, people have been warned against opening files from unknown or dubious looking sources. But what could be safer than a message apparently sent from “”? Well, things aren’t always what they seem.

How long is it since Microsoft have sent messages in anything other than plain text? And with attached files? You guessed it, faking the name of the sender is just another cunning device used by the virus to trick the user.

Any strong security policy cannot ignore the need for user awareness. Even firewalls and content filtering cannot always guarantee total security against the kind of ‘social engineering’ used by worms like Playh. If security is to be a reality, training users to be aware must be on the agenda of all administrators. This will mitigate, to a large extent, the hidden risks of such apparently innocent e-mails.