CIS CYBER SECURITY ADVISORIES
MS-ISAC CYBER SECURITY ADVISORY NUMBER:
"Here You Have" Email Worm
A mass mailing worm has recently been seen propagating aggressively across the Internet with the subject lines "Here you have" or "Just For you". The email includes a link disguised to look like a PDF or a .WMV file, but is actually a link to a .SCR file that contains malicious code. Clicking on the malicious hyperlink will result in the compromise of the affected machine and the spread of the mass mailing worm to other computers.
We have received reports from several states that have been impacted by this mass mailing email worm in addition to the media accounts of impacted businesses.
- It appears that this worm is only impacting Microsoft Windows Operating Systems
- Large and medium government entities: High
- Small government entities: High
- Large and medium business entities: High
- Small business entities: High
Home users: High
A mass mailing worm has recently been seen propagating aggressively across the Internet with the subject lines "Here you have" or "Just For you". The email includes a link disguised to look like a PDF or a .WMV file, but is actually a link to a .SCR file that contains malicious code.
When a user clicks on the hyperlink, the supplied code will run and install an executable file in the Windows directory as CSRSS.EXE. The executed malware will then attempt to deactivate the user's anti-virus and propagate by emailing all of the contacts in the infected user's address book. It will attempt to connect to various malicious websites and force affected systems to share several folders in the C:\Windows\System directory. The malware will attempt to access remote machines. If it is successful in obtaining access, it will attempt to put a .SCR file with the name of "N73.Image12.03.2009.JPG.scr" on the root directory of the remote machine. The malware can also spread through mapped drives and removable media via Autorun replication.
An example of the email format has been included below:
Subject: Here you have or Just For you
This is The Document I told you about,you can find it Here.
Please check it and reply as soon as possible.
This is The Free Dowload Sex Movies,you can find it Here.
Enjoy Your Time.
Please note that the two known malware distribution servers appear to have been taken down. This should result in mitigation of some of the risk from this threat. However, we advise that the domains below be blocked as a precautionary measure.
We recommend the following actions be taken:
- Block access to hxxp://members.lycos.co.uk/iqreporters/* and hxxp://members.multimania.co.uk/yahoophoto/*
- Block emails with the subject 'Here you have' and 'Just For you' and links to '.SCR' files.
- Ensure that all anti-virus software is up to date.
- Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
- Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
- Ensure that auto-run is disabled and that network drives are password protected and read-only where ever possible.