Here-you-have virus spread rapidly but has been contained

Posted Friday, September 10, 2010 1:34 PM by hwaldron

Lightning This new virus attack was massively spammed via email but appears to be contained, as the malicious links have been deactivated.  Please always be careful with email attachments and URLs.

'Here You Have' Email Virus

http://isc.sans.edu/diary.html?storyid=9529

http://www.f-secure.com/weblog/archives/00002027.html

http://blog.trendmicro.com/old-malware-out-of-its-shell/

http://blogs.pcmag.com/securitywatch/2010/09/here_you_have_incompetence.php

http://abcnews.go.com/Technology/virus-mail-spreads-online/story?id=11596433&page=1

http://www.symantec.com/connect/blogs/here-you-have-mass-mailing-virus-returns-old-school-tactics

http://www.avertlabs.com/research/blog/index.php/2010/09/09/widespread-reporting-of-here-you-have-virus/

 

QUOTE: There are several good write ups on the behavior of this malware see some of the references below.  The spam contains a link to a document.  The link looks like it is to a PDF, but is, in fact, to a .SCR file and served from a different domain from what the link appears to point to.  The original file seems to have been removed, so further infections from the initial variant should not occur, but new variants may well follow.  The .SCR when executed downloads a number of additional tools, one of which appears to attempt to check in with a potential controller.  The name associated the controller has been sink-holed.  The malware attempts to deactivate most anti-virus packages and uses the infected user's Outlook to send out its spam.

 

EMAIL MESSAGES TO AVOID

(Please do not click on the URL link as that's the primary danger as new variants could appear later)

 

Subject(s): Here you have -- or -- Just For you

Body:  Hello, This is The Document I told you about,you can find it Here.  Please check it and reply as soon as possible.

Comments

No Comments