There was a significant virus that broke out today commonly called the “Here you have” virus due to the email subject line the worm uses during propagation. It looks like multiple variants may be spreading and may take some time to work through them all to paint a clearer picture. Below is what the email looks like. This is a tough one to ignore because many times it will come from someone you know.
Infectious email messages may have the following properties:
Subject: Here you have or Just For you
Body:
Hello:
This is The Document I told you about,you can find it Here.
http://www.thisisnotthereallink.com/library/PDF_Document21.025542010.pdf
Please check it and reply as soon as possible.
Cheers,
or
Hello:
This is The Free Dowload Sex Movies,you can find it Here.
http://www.thisisafakelink.com/library/SEX21.025542010.wmv
Enjoy Your Time.
Cheers,
The URL does not actually lead to a PDF document, but rather an executable in disguise, such as PDF_Document21_025542010_pdf.scr served from a different domain, such as members.multimania.co.uk this URL is no longer active and the email propagation vector is believed to be crippled at this time (though already infected hosts may continue to spread email messages).
Here is some additional information on the threat behavior:
Generic.dx!tsp!2BDE56D8FB2D – http://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=275352
W32/VBMania@MM – http://vil.nai.com/vil/content/v_275435.htm
When a user chooses to manually follow the hyperlink, they will be prompted to download or execute the virus. When run, the virus installs itself to the Windows directory as CSRSS.EXE (not to be confused with the valid CSRSS.EXE file within the Windows System directory). Once infected the worm attempts to send the aforementioned message to email address book recipients. It can also spread through accessible remote machines, mapped drives, and removable media via Autorun replication. Organizations including NASA, Comcast, AIG, Disney, Proctor & Gamble, Florida Department of Transportation and Wells Fargo are just a few of the organizations apparently affected by the worm, which appears to have sent out hundreds of thousands, if not millions of e-mails. So this may not have affected the home user so much but big corporations were hit hard.
About George Dover
George Dover is one of the Microsoft Certified Technicians that works at BoxAid.com. He is the primary blog contributor and has helped thousands of customers calling into BoxAid on a daily basis. Connect with me on Google+
Mail | More Posts (27)