"Many users who are wary of EXE and VBS files, which arrive in their email may not realize that PIF files are equally capable of being malicious," said Chris Belthoff, senior product marketing manager at Sophos, Inc. Sophos recommends companies block all Windows programs at the email gateway, noting that "it is rarely necessary to allow users to receive programs via email from the outside world. There is so little to lose, and so much to gain, simply by blocking all emailed programs, regardless of whether they contain viruses or not."

Mikko Hypponen of F-Secure concurs, "The attachments sent by the worm are PIF executables - normal users really never send this types of files. Corporate companies should simply filter all PIF attachments at (the) gateway level. Home users can use their Delete buttons instead".

Steve Garfink, CEO of InDefense, Inc., notes that "home users can be easily protected by MailDefense, which automatically quarantines all executable program files before they reach the mail client, thereby affording home users the same protection enjoyed by large enterprises."

Following is an example of an email carrying the Palyh worm:

The Palyh worm attempts to copy itself to startup directories on accessible network shares. Palyh has auto-updating capabilities, downloading updates from up to four different websites. This ability means the signature and functionality of the worm could change over time. The original version of Palyh contains a routine that signals it to stop spreading via email after May 31st, 2003. However, F-Secure also warns that the auto-updating routine continues beyond that date, meaning that mass-mailing functionality could be resumed.