'Here you have' virus strikes email inboxes

Filed Under: Data loss, Malware, Spam

Biohazard
If you were reading the SophosLabs blog overnight you'll have seen Boris Lau's report of a mass-mailing worm that has been reported widely.

Email messages with the subject line "Here you have" are pretending to point to documents or free sex movies, but are really designed to infect your PC.

What may be fooling some people is that these emails appear to come from your colleagues, friends or family members, as they have had their own computers infected by the malware (which then sent it on to you).

A typical message reads:

Hello:

This is The Document I told you about,you can find it Here.

http://<REMOVED URL>/PDF_Document21.025542010.pdf

Please check it and reply as soon as possible.

Cheers,

Here's another example:

Here you have malicious email

Hello:

This is The Free Dowload Sex Movies,you can find it Here.
http://<REMOVED URL>/library/SEX21.025542010.wmv

Enjoy Your Time.

Cheers,

(Note in that example, the hackers spelt "Download" incorrectly)

However, the link doesn't really go to a PDF file or a WMV movie, but to a SCR executable file instead containing malicious code. When the code is run on your computer it tries to turn off your security software, and attempts to send one of the above messages to contacts in your address book - rather in the style of the old-school email-aware viruses we often saw in the early 2000s which would use the lure of pictures of Anna Kournikova or a love letter.

Furthermore, the worm can also spread via network shares.

Sophos detects the malware as W32/Autorun-BHO. In more good news, it appears that the file pointed to by the emails is no longer available.

The intention of the attack appears to be to steal information. The malware downloads components and other tools which extract passwords from browsers (Firefox, Chrome, Internet Explorer, Opera), various email clients, and other applications. Clearly sensitive information which you don't want falling into the wrong hands.

According to media reports, the virus has been encountered in large firms including Google, Coca Cola, NASA and Comcast.

That doesn't surprise me, as this is something of a return to the malware attacks of yesteryear - where hackers didn't care whose computers they hit, they just wanted to infect as many as possible. Worms like this don't discriminate, deciding their next victim purely by scooping up a list of its next targets from the user's email address book.

Which also means that if you're in a lot of people's address books, you might receive a fair amount of malware.

For instance, ABC/Disney employee Sam Champion, who is the weatherman on "Good Morning America" tweeted that the virus was filling up his email account..

Tweet from Sam Champion

As always, ensure that your anti-virus software is kept properly up-to-date and don't go clicking on suspicious links - even if they do appear to have been sent to you by a friend.

PS. If you think the subject line "Here you have" rings a bell, then you've been following computer security for a fair old time. It was also used by the VBS/SST-A virus (better known as Anna Kournikova) back in 2001.

Screenshot of Anna Kournikova virus

Mass-mailing malware like Kournikova hit a lot of people in the past, let's hope that more people have their wits about them this time and don't get tricked by this latest attack.

You might like

2 Responses to 'Here you have' virus strikes email inboxes

  1. roy jones jr · 1307 days ago

    The possible infected emails I get sometimes almost always have the first 4 letters of my email address in the "sent from" line. How do they do that?

  2. I get email sent to me from me I always delete them how can they do that? are they always viruses?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.