The “Here you have” worm

Just a quick update that we are seeing reports of an old-school mass-mailing worm doing the rounds currently.

The emails it sends contain a link that pretends to point to a PDF, but it in fact points to a VisualBasic PE executable. So it has nothing to do with the latest Adobe 0-day we mentioned recently.

It spreads itself in email with the following message:

Hello:

Subject: Here you have

This is The Document I told you about,you can find it Here.

http://***url***/PDF_Document21.025542010.pdf

Please check it and reply as soon as possible.

Cheers,

or:

Hello:

This is The Free Dowload Sex Movies,you can find it Here.

http://***url***/SEX21.025542010.wmv

Cheers,

We have blocked the link URL, which means Sophos Live Protection prevents access to it. We also detect the malware itself as W32/Autorun-BHO.