'Here You Have' Email

'Here You Have' Email
We are aware of the "Here you have" malware that is spreading via email. As we find out more, we'll update this diary. Marcus H. Sachs Director, SANS Internet Storm Center	Marcus 301 Posts ISC Handler Sep 9th 2010
Thread locked Subscribe	Sep 9th 2010 1 decade ago
A major auditing firm sent us some emails with the malware link. A commenter on another thread said it appeared to spread through their Exchange distribution lists. The audit firm use McAfee and McAfee added detection as of today. The audit firm said it disabled McAfee. McAfee's writeup for this non-PDF infection is at http://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=275352#none It appears to require local administrator rights to do its thing since it installs into %WINDIR%. "Least privilege" stops another one even if the AV vendors can't. FWIW, we tested it against the six anti-malware systems we use. Bitdefender and Kaspersky on the proxy server both stopped the download if the link was clicked. Every engine we have enabled on Forefront for Exchange let the email go right through because it was just a link. The Sophos email gateway did the same because it was just a link. These systems update every hour. The two engines on the proxy server marked it as: Bitdefender: Gen:Trojan.Heur.rm0@fnBStPoi Kaspersky: Suspicious:HEUR:Trojan.Win32.Generic The actual link in the email is below. It says it's a PDF link but it's a .SCR link. http: // members . multimania . co . uk / yahoophoto / PDF_Document21_025542010_pdf . scr The text was: -------------------------------------------------------------------------- Subject: Here you have Hello: This is The Document I told you about,you can find it Here. http://www . sharedocuments.com/ library/ PDF_Document21.025542010.pdf Please check it and reply as soon as possible.	Anonymous
Quote	Sep 9th 2010 1 decade ago
Got this from McAfee. They should be releasing new DAT's and new Stinger tool. Hope this helps. *************************************************** McAfee Labs has released a signed Extra-DAT that extends McAfee’s existing detection by adding “repairing of files” damaged by the W32/VBMania@MM worm. Additionally, Beta DATs are currently being built to include Repair for W32/VBMania@MM (ETA 3:30 PM, US/PDT) (next Beta release). A stand-alone removal and repair tool, Stinger, will be made available to the public at approximately the same time. For more information on this threat, go to the Virus Information Library at http://vil.nai.com/vil/content/v_275435.htm. ==================================================== ORIGINAL EMAIL (Thursday, September 09, 2010 3:33:20 PM) McAfee has received confirmation that some customers have received large volumes of spam containing a link to malware, a mass-mailing worm identified as VBMania. The symptom reported thus far is that the spam volume is overwhelming the email infrastructure. Static URLs in the email link to a .SCR file. McAfee recommends that customers filter for the URL on gateway and email servers, and block the creation of .SCR files on endpoint systems. McAfee Trusted Source is actively protecting against this threat. Customers with McAfee Trusted Source Email Reputation will have the emails blocked. Customers with McAfee Trusted Source Web Reputation will have the URL blocked from click-through. McAfee Artemis provides protection as well. For further information, go to mysupport.mcafee.com and search for KB article KB69857. McAfee also will provide further information as gathered. ________________________________________	Anonymous
Quote	Sep 9th 2010 1 decade ago
looks like the website for original email has been taken down. also other vendor products like 'Websense' have this site on their Malicious Sites list. thanks for the headsup.	spanionlust 3 Posts
Quote	Sep 9th 2010 1 decade ago
5 minutes after I saw this first posted today, our Microsoft contact sent us an email about this and recommended an Exchange rule to dump these (by subject line which we all know is not the best approach). Our Forefront for Exchange (hosted spam filter with MS) did not let a single one through, but our sister company that uses Iron Mail had 5 get in. We seem to be fine, no mass email via the Exchange GAL internally. I just found that this hit the news. Some big names including NASA and Homeland Security appear to have been hit. http://www.foxnews.com/scitech/2010/09/09/beware-link-e-mail-virus-plays-havoc-internet/	Anonymous
Quote	Sep 10th 2010 1 decade ago
ftp://ftp.symantec.com/AVDEFS/symantec_antivirus_corp/rapidrelease/sequence/114828/ Symantec released some updated defs this afternoon (09/09/2010 Pacific). The FTP site above lists "symrapidreleasedefsi32.exe" among others. symrapidreleasedefsi32.exe is ~90MB but it did catch the 284k PDF dot scr file mentioned above.	Anonymous
Quote	Sep 10th 2010 1 decade ago
ftp://ftp.symantec.com/AVDEFS/symantec_antivirus_corp/rapidrelease/sequence/114828/ Symantec released some updated defs this afternoon (09/09/2010 Pacific). The FTP site above lists "symrapidreleasedefsi32.exe" among others. symrapidreleasedefsi32.exe is ~90MB but it did catch the 284k PDF dot scr file mentioned above.	Anonymous
Quote	Sep 10th 2010 1 decade ago
The Barracuda Spam Firewall is already blocking these (we have two messages dated yesterday afternoon) with Reason: Fingerprint (*Phishing.Virus-147506756).	Anonymous
Quote	Sep 10th 2010 1 decade ago

We are aware of the "Here you have" malware that is spreading via email. As we find out more, we'll update this diary.

Marcus H. Sachs
Director, SANS Internet Storm Center

Marcus

301 Posts
ISC Handler

Sep 9th 2010

A major auditing firm sent us some emails with the malware link. A commenter on another thread said it appeared to spread through their Exchange distribution lists.

The audit firm use McAfee and McAfee added detection as of today. The audit firm said it disabled McAfee. McAfee's writeup for this non-PDF infection is at http://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=275352#none

It appears to require local administrator rights to do its thing since it installs into %WINDIR%. "Least privilege" stops another one even if the AV vendors can't.

FWIW, we tested it against the six anti-malware systems we use. Bitdefender and Kaspersky on the proxy server both stopped the download if the link was clicked.

Every engine we have enabled on Forefront for Exchange let the email go right through because it was just a link. The Sophos email gateway did the same because it was just a link. These systems update every hour.

The two engines on the proxy server marked it as:

Bitdefender: Gen:Trojan.Heur.rm0@fnBStPoi

Kaspersky: Suspicious:HEUR:Trojan.Win32.Generic

The actual link in the email is below. It says it's a PDF link but it's a .SCR link.

http: // members . multimania . co . uk / yahoophoto / PDF_Document21_025542010_pdf . scr

The text was:
--------------------------------------------------------------------------
Subject: Here you have

Hello:

This is The Document I told you about,you can find it Here. http://www . sharedocuments.com/ library/ PDF_Document21.025542010.pdf

Please check it and reply as soon as possible.

Anonymous

Got this from McAfee. They should be releasing new DAT's and new Stinger tool. Hope this helps.

***************************************************
McAfee Labs has released a signed Extra-DAT that extends McAfee’s existing detection by adding “repairing of files” damaged by the W32/VBMania@MM worm.
Additionally, Beta DATs are currently being built to include Repair for W32/VBMania@MM (ETA 3:30 PM, US/PDT) (next Beta release). A stand-alone removal and repair tool, Stinger, will be made available to the public at approximately the same time.
For more information on this threat, go to the Virus Information Library at http://vil.nai.com/vil/content/v_275435.htm.
====================================================
ORIGINAL EMAIL (Thursday, September 09, 2010 3:33:20 PM)
McAfee has received confirmation that some customers have received large volumes of spam containing a link to malware, a mass-mailing worm identified as VBMania. The symptom reported thus far is that the spam volume is overwhelming the email infrastructure.
Static URLs in the email link to a .SCR file. McAfee recommends that customers filter for the URL on gateway and email servers, and block the creation of .SCR files on endpoint systems.
McAfee Trusted Source is actively protecting against this threat. Customers with McAfee Trusted Source Email Reputation will have the emails blocked. Customers with McAfee Trusted Source Web Reputation will have the URL blocked from click-through. McAfee Artemis provides protection as well.
For further information, go to mysupport.mcafee.com and search for KB article KB69857. McAfee also will provide further information as gathered.
________________________________________

Anonymous

looks like the website for original email has been taken down.

also other vendor products like 'Websense' have this site on their Malicious Sites list.

thanks for the headsup.

spanionlust

3 Posts

5 minutes after I saw this first posted today, our Microsoft contact sent us an email about this and recommended an Exchange rule to dump these (by subject line which we all know is not the best approach). Our Forefront for Exchange (hosted spam filter with MS) did not let a single one through, but our sister company that uses Iron Mail had 5 get in. We seem to be fine, no mass email via the Exchange GAL internally.

I just found that this hit the news. Some big names including NASA and Homeland Security appear to have been hit.

http://www.foxnews.com/scitech/2010/09/09/beware-link-e-mail-virus-plays-havoc-internet/

Anonymous

ftp://ftp.symantec.com/AVDEFS/symantec_antivirus_corp/rapidrelease/sequence/114828/

Symantec released some updated defs this afternoon (09/09/2010 Pacific). The FTP site above lists "symrapidreleasedefsi32.exe" among others.

symrapidreleasedefsi32.exe is ~90MB but it did catch the 284k PDF dot scr file mentioned above.

Anonymous

ftp://ftp.symantec.com/AVDEFS/symantec_antivirus_corp/rapidrelease/sequence/114828/

Symantec released some updated defs this afternoon (09/09/2010 Pacific). The FTP site above lists "symrapidreleasedefsi32.exe" among others.

symrapidreleasedefsi32.exe is ~90MB but it did catch the 284k PDF dot scr file mentioned above.

Anonymous

The Barracuda Spam Firewall is already blocking these (we have two messages dated yesterday afternoon) with Reason: Fingerprint (*Phishing.Virus-147506756).

Anonymous