Beware of "Here You Have It" Emails

fatchowmein
fatchowmein Posts: 2,637
edited September 2010 in The Clubhouse
Fyi...
'here you have it' worm strikes email inboxes

using a windows screensaver file containing malicious code, the mass-mailing worm can disable some antivirus programs and move via email and local networks.


By mathew j. Schwartz, informationweek
sept. 10, 2010
url: http://www.informationweek.com/story/showarticle.jhtml?articleid=227400150



ten years after the heyday of email worms, trading on such topics as love letters and anna kournikova, they're back. A new worm with the subject line of "here you have" and "just for you" is exploiting pc users' address books to rapidly spread, and has reportedly affected numerous organizations, including abc, coca-cola, comcast, google and nasa.

The body of the email pretends to offer links to documents or adult movies. But according to symantec, "this link actually points to a malicious program file that is disguised as a pdf file, hosted on the internet." in fact, the pdf is a .scr -- windows screensaver -- file containing malicious code, and executing it installs a worm on the user's computer.

"screen saver (.scr) files have long been blocked as attachments, which is why this worm uses links," said sean sullivan, a security researcher at f-secure.

Thursday, the u.s. Computer readiness team (us cert) issued an incident report warning that, "these attacks have the potential to prevent, at a minimum, the efficient operations of u.s. Government email systems."

when the worm infects a system, it first attempts to disable any antivirus programs that are running. Next, it emails everyone in the user's outlook address book with a copy of the malicious message, and propagates to any open network shares on the local area network. Simply opening the folder containing the malware on the target computer will also cause that pc to become infected.

"the intention of the attack appears to be to steal information," said graham cluley, senior technology consultant at sophos. Indeed, some of the malware components downloaded during the attack extract passwords from other applications on the pc, including browsers and email clients.

"this is something of a return to the malware attacks of yesteryear -- where hackers didn't care whose computers they hit, they just wanted to infect as many as possible," he said.

To mitigate the treat, symantec recommends disabling network sharing, local network access and internet access for infected computers as well as blocking all outbound traffic to domains and ip addresses involved in the attack, to prevent the attack from downloading malware, even if users click the link.

Thankfully, however, the .scr file used in the initial attack no longer appears to be online. "the original file seems to have been removed, so further infections from the initial variant should not occur, but new variants may well follow," said marcus h. Sach, director of the sans internet storm center.
Post edited by fatchowmein on
· Share on FacebookShare on Twitter

Comments

  • thuffman03
    thuffman03 Posts: 1,325
    edited September 2010
    We had issues with this on at the company I work for. Caused some issues for a few hours till we got our Exchange Servers updated with the latest virus defs.
    Sunfire TGP, Sunfire Cinema Grand, Sunfire 300~2 (2), Sunfire True Sub (2),Carver ALS Platinum, Carver AL III, TFM-55, C-19, C-9, TX-8, SDA-490t, SDA-390t
    · Share on FacebookShare on Twitter
  • Fireman32
    Fireman32 Posts: 4,845
    edited September 2010
    Same here. took a few hours to get it under control.
    · Share on FacebookShare on Twitter