Skip navigation

Watch for the Win32.Palyh-A Email Worm

This morning, I found ten messages in my Inbox from [email protected], with subject lines of "Cool screensaver," "Re:My details," and others from the list below. According to Central Command's Emergency Virus Response Team (EVRT), these messages are distributing a new Internet worm called Win32.Palyh-A in the message attachments. Email from [email protected] with one of the following subject lines is likely infected with this worm:
- Your Password
- Screensaver
- Re: Movie
- Your details
- Approved (Ref: 38446-263)
- Re: Approved (Ref: 3394-65467)
- Cool screensaver
- Re: My details
- Re: My application
- Re: Movie

The message attachments have a .pif extension and a filename that reflects the text in the Subject field. When you open the attachment, the worm copies a file called mscon32.exe into the \windows\directory and creates a registry entry that runs this file every time you boot your system. Command Central's instructions don't explain how the worm works when the system folder has a name other than \windows\. When the worm runs, it scavenges email addresses embedded in files with the file type of .dbx, .eml, .htm, .html, .txt, and .wab, then propagates itself to the addresses it collects. If your system is infected, you'll find the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "System Tray"="C:\\WINDOWS\\MSCON32.EXE" registry entry on your system. I suspect you can get rid of this worm by deleting the above registry entry, plus the mscon32.exe file in the system root. To be safe, contact your virus vendor about instructions for removing this worm from infected systems. In Microsoft Outlook, you can delete infected messages without reading them by pressing the Shift and Delete keys simultaneously.

WMP Security Update If you're a Windows Media Player (WMP) fan, you've probably experimented with the look and feel of the media player's GUI. When you alter the player's appearance, a process called changing the skin, WMP executes an .xml file that contains the graphical images and instructions that define the alternate GUI. Although WMP versions earlier than WMP 7.0 don't offer this feature, you can select from several native GUIs in WMP 7.0 on Windows 2000 and in WMP 8.0 on Windows XP. In addition to the native skins, you can also download custom interfaces from Internet sites.

A security flaw exists in how WMP executes the .xml file, which, if properly leveraged, lets a malicious user download and run an executable file in a known location on the local system with the rights and permissions of the currently logged-on user. This vulnerability exists in WMP 7.0 and in XP systems that use the default version of WMP (WMP 8.0). The flaw doesn't exist in WMP 6.4 or WMP 9.0, which is the most recent version.

Even if you don't experiment with skins, WMP's ability to programatically change the skin makes many systems vulnerable to this exploit. For example, you might browse a Web site that prompts you to download a playlist or some other utility, when in reality, the download is an .xml file that leverages this security flaw to install and run code on your system. For obvious reasons, this vulnerability has a critical security rating. To prevent this exploit, you must install the WMP hotfix specific to the running version of WMP.

In Win2K, WMP is in the Entertainment group under Accessories. In XP, WMP is usually near the end of the All Programs list. Start WMP, open the Help menu, and select About Windows Media Player. Legacy systems, including Windows NT, Windows Me, and Windows 9x, that run WMP 7.0 are also vulnerable, so check your legacy platforms as well. For more information about this vulnerability, read Microsoft Security Bulletin MS03-017 (Flaw in Windows Media Player Skins Downloading could allow Code Execution); the related Microsoft article "MS03-017: Flaw in Windows Media Player Skins Downloading Could Allow Code Execution" ( discusses where to download the hotfix for your version of WMP and describes the command-line options you can use to install the hotfix.

Although WMP 6.4 isn't vulnerable to this XML-based exploit, you should verify that you have installed the most recent security update for systems running the earlier version. The most current hotfix for WMP 6.4 has a release date of July 2002. This hotfix is a rollup that contains all previous security fixes and eliminates several new vulnerabilities in the earlier version. Go to to download the most recent hotfix for WMP 6.4.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.