'Microsoft' worm has 13-day timebomb

A new worm which pretends to have been sent by Microsoft technical support has started to appear in the wild.

Palyh (pronounced Pale-H) is a basic worm which copies itself to the Windows system memory as MSCCN32.EXE, and spreads by mailing itself out to a host's contacts and via corporate networks.

The worm has the ability automatically to update itself from a remote web server, and install spyware on infected PCs. But it is also time locked to become inactive after 31 May.

"We've had a lot of reports worldwide," said Graham Cluley, virus consultant at Sophos.

"It showed up around midnight and seemed to hit Australia and New Zealand hardest due to the time of release.

"There's a danger to home users who might not be blocking attachments, and for companies which only scan emails and don't monitor network shares."

The worm scans for TXT, EML, HTML, HTM, DBX, WAB files and emails itself to any address it finds, although it also tries to send out a small number of garbled emails due to its poor construction.

All emails purport to come from support@microsoft.com and contain an EXE file that looks like a PIF or PI file.

"There's an awful lot of it about in the UK this morning," said Jack Clark, of Network Associates.

"That being said it looks like a similar low-level threat to last week's Fizzer worm. We've got our DAT files out already and it shouldn't be a problem for anyone with a sensible policy on virus updates."