'Microsoft' worm has 13-day timebomb

The worm, named Palyh (pronounced Pale-h) is a basic worm which copies itself in to the Windows system memory as MSCCN32.EXE and spreads through mailing itself out to a host's contacts and via corporate networks.

The worm has the ability to update itself from a remote web server automatically and install spyware on infected PCs but is also time locked to become inactive after 31 May.

'We've had a lot of reports worldwide,' said Graham Cluley, consultant at Sophos.

'It showed up around midnight and seemed to hit Australian and New Zealand hardest due to the timing of release. There's a danger to home users who might not be blocking attachments and for companies who only scan emails and don't monitor network shares.'

The worm scans for TXT, EML, HTML, HTM, DBX, WAB files and emails itself to any email address it finds, although it also tries to send out a small number of garbled emails due to its poor construction. All emails purport to come from come from support@microsoft.com and contain an EXE file that looks like a PIF or PI file.

'There's an awful lot of it about in the UK this morning,' said Jack Clark of Network Associates.

'That being said it looks like a similar low level threat like last week's Fizzer worm. We've got our DAT files out already and it shouldn't be a problem for anyone with a sensible policy on virus updates.'