Weeky Virus Report – Palyh, Petik, Melare and Redisto Worms
This week’s report looks at four worms: Palyh (W32/Palyh or Sobig.B), Petik.N (VBS/Petik.N), Melare (W32/Melare) and Redisto (W32/Redisto).
Palyh (also known as Sobig.B) spreads via e-mail, using its own SMTP engine, to all addresses it finds in the affected computer in files with the following extensions: .TXT, .EML, .HTM*, .DBX, y .WAB. It also downloads four text files containing the address of a pornographic website. After doing this, it frequently opens a window in the Internet browser in order to try to connect to this address. The danger of this virus lies, in particular, in its use of what has been dubbed “social-engineering’, as it tries to trick recipients into believing that it is a message sent by tech support services at Microsoft by including the company’s address in the “Sender’ field.
Due to the increasing number of incidents caused by the new Palyh worm, Panda Software has made its PQREMOVE application available to all users to repair any possible damage caused to computers by this malicious code. This utility can be downloaded free of charge by anyone who needs it.
Petik.N (VBS/Petik.N), is another new and dangerous worm that overwrites all files on the computer it infects. This could mean that all information on a computer could be lost and the machine would be rendered useless. Before destroying files, Petik.N creates a hundred empty .TXT files on the Windows desktop. The name of all these files always begins with the word “stress’, followed by four random lowercase letters.
Petik.N is particularly dangerous for corporate environments as it mainly spreads across shared network drives.
Melare however has no destructive effects and is easily recognized as it always reaches computers in an e-mail with the subject: Alert! SARS is being Spread!, and with the attached file: SARS_IMAGE.JPG. Once it has infected a computer, Melare sends itself to all addresses in the Outlook Address Book. To cover its tracks, it then deletes these messages from the Sent Items folder.
Finally, Redisto is a worm that blocks certain applications, mainly firewalls and antiviruses, by terminating active processes associated to them. It also saves confidential information from the computer to two files which it sends out by e-mail.
Redisto spreads rapidly via e-mail and the KaZaA peer-to-peer file sharing program.