Palyh Virus a.k.a. Mankx

Antivirus Software

Filed In:

Antivirus Software

Palyh Virus a.k.a. Mankx

SoBig variant detection and removal

Related Resources

• Virus Encyclopedia
• Glossary of terms

Elsewhere on the Web

• F-Secure Description

As of Monday, May 19th, 2003, most antivirus vendors had published signature updates capable of detecting the worm. Additionally, both Symantec and F-Secure had released free removal tools for the Sobig variant, a.k.a. Palyh and Mankx.

Symantec free removal tool.

F-Secure has established a Global Information Center with detailed information and geographical infection map for the worm, as well as providing a free removal tool.

Manual Detection and Removal
The following instructions involve modifying the System Registry. Improperly editing the system registry can adversely affect the operating system.

Search the System Registry for the following keys and delete them:

Under the keys:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run and
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
look for and delete the key value:
System Tray = %windir%\msccn32.exe

Copies of the Palyh worm are dropped to:

C:\%windir%\msccn32.exe
Windows\All Users\Start Menu\Programs\StartUp\msccn32.exe
Documents and Settings\All Users\Start Menu\Programs\Startup\msccn32.exe

A second file, hnks.ini, contains the email addresses found on the infected system and to which copies of the worm were subsequently spread. This file can be viewed safely with Notepad or another text editor to determine affected email addresses, the holders of which can then be notified of possible infection.

Next page > SoBig Variant Spoofs Microsoft Address > Page 1, 2

Guide since 2000

Mary Landesman
Antivirus Software Guide

Sign up for my Newsletter

Explore Antivirus Software

Must Reads