Thursday, September 09, 2010

"Here you have" spam spreads email worm

This evening while I was driving to an open house at my daughter's school (very cool! proud of you, Kyriae!) a journalist called to ask me about "the major new email worm that everyone is talking about".

Insert sound of crickets.

I asked him for more details and he said all he knew so far was that it used the subject line "Here you have", which made me laugh -- that was the main subject line of the Anna Kournikova virus way back in 2001!

In my lab at the University of Alabama at Birmingham we have a project called the UAB Spam Data Mine, so I'm usually a pretty good person to ask if something involves the words "major" and "email", but not this time. As the evening progressed I got more and more queries and emails about it, so I decided to look into it.

In the entire Spam Data Mine, we had 17 copies of the email, or roughly one out of every 100,000 email messages for the day. Certainly not "major", but then when we looked at the actual emails, we noticed that thirteen of the seventeen came from the same Very Large Financial Institution.

That did pique my interest! ABC seems to be the only news station covering the story, which is because the worm behind this malware managed to get lose in some ABC properties. Here's a sample news story, from ABC 13 in Houston:

A massive and dangerous email virus has spread like wildfire, flooding inboxes and disrupting operations across the globe. The email is landing in the inboxes of companies around the world.

The email has the subject line 'Here you have.' In the body of the email, it reads, "Hello: This is The Document I told you about, you can find it here," and contains a reference to a document and a link to what appears to be a PDF. IT departments are advising users not to open the email or click on the link, but to delete the message.

If you click on the link, the virus replicates and sends itself out using your name and contact list.

The attack appears to be global, so far affecting companies such as Disney, P&G, Dow, Coca-Cola and others. The Florida Department of Transportation's email system has been shut down, and other Florida government agencies have been affected, but so far no Texas government agencies are reporting any impact. The virus may have originated in Russia.

(story from ABC's KTRK in Houston)

ABC National news had a similarly glamorous lead in, mentioning that as of 4 PM on Thursday "Here you have" was the second hottest news trend on Google. "Organizations including NASA, Comcast, AIG, Disney, Proctor & Gamble, Florida Department of Transportation and Wells Fargo are just a few of the organizations apparently affected by the worm, which appears to have sent out hundreds of thousands, if not millions of e-mails"

If we scroll back in the Twitter space about twelve hours (1:00 PM on Thursday) we can confirm that at least for some folks, the email did feel pretty overwhelming. See posts such as:

tony1971 who else is getting tons of e-mails with the subject, #hereyouhave?

jmyoung82 328 emails and counting from #hereyouhave email worm

wiltap I turned off my desktop email--machine was non-responsive. RT @perfectcr Yup, its global! #hereyouhave

padevries Seems like #hereyouhave #virus is under control at my company. After 724 emails in 10 min it has stopped.

The malware preferred to spread via the Outlook mail program, and spammed itself primarily by sending to every member of the local Outlook address book. In companies where a domain administrator logged in to an infected machine the effect was that every machine reachable from that machine that used the same administrator password became infected, and then each of those users sent an email to every other user in the company directory. I can see where that would pile up quickly.

Apparently very few companies have the addresses in the UAB Spam Data Mine in their address books, which would explain me receiving so little spam. (A fortuitous typographical error seems to be how I got most of our copies.)

BarracudaLabs claims in their useful and informative blog entry, “Here You Have” Spam Teaches an Old Worm a New Trick that they saw the spam first at 9:44 AM Pacific time and quickly saw 200,000 copies, but that its likely that infected organizations had many more. The spam dried up once the website hosting the malware shut down the offending account.

Although the malware is being recognized for its spam, the reason it is being labeled as a worm has to do with its spread within corporate networks. The malware, which was previously seen on August 20th, has been given the name W32.Imsolk.A by Symantec and others at that time. They call the new version "W32.Imsolk.B". TrendMicro calls the new version "Worm_Meylme.B".

Here's a VirusTotal report showing detections and who is calling it what. Currently 23 of 42 anti-virus products are reporting a detection. (Up from 17 of 42 when I checked about 4 hours ago).

Its interesting to follow Symantec's ticket on the malware through the day . . . Symantec Tech Support ticket - which concluded:

""Enterprise customers are protected by a Rapid Release signature set dated Sep 9th 2010 rev 023, or later. The next regular definition set to be published at 16:00 PST Sep 9th 2010 will contain the detection."

McAfee's AvertLabs also had a Special Report on Here you Have, including links to their advice on identifying and removing the malware, with a special Knowledge Base link that provided information on an emergency signature file and a special version of their stand-alone "stinger" product.

Microsoft has a quite good Threat Encyclopedia entry for the previous version, which they called "Visal.A", and has updated it with a great entry on Visal.B. Some of the cooler features of this malware described by Microsoft include:

- the malware copies itself as " CV 2010.exe" to drives C: through H:.

- The worm adds an autostart key by making the following registry modification:

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Adds value: "Sets Shell"
With data: “%windir%\csrss.exe”

which is how it guarantees that it will re-invoke after boot -- note that by linking to "Winlogon", even a 'safe mode' boot will be "infected".

- the worm will attempt to mount network shares for all computers on the local network and copy itself as a fake graphic file - "N73.Image12.03.2009.JPG.scr" and placing itself in a "New Folder", as well as folders named "Music" and "Print" on every drive it can mount. It will add an entry into an autorun.inf file on each of those drives to ensure that mounting the drive will invoke their fake JPG file.

- The malware also attaches itself via the registry to 391 various .exe file names, primarily the names of security tools and programs, so that if any of them are executed, the malware stored in "%windir%\csrss.exe" will be re-invoked.

Although the malware theoretically can send three different emails from templates in the malware, all of the samples we received today were of the first variety:

Subject: Here you have

This is The Document I told you about,you can find it Here.

Please check it and reply as soon as possible.


The first actual copy of the email we saw was actually from an employee of a local utility company. In all the copies I saw, the actual link was downloading the content from:

Although SCR files are traditionally thought of as "screen saver" files, if the file is an executable, '.scr' files can be directly executed in Windows, as indeed this one is. Because file extensions are suppressed by default in Windows, and because the executable uses an icon that makes it appear to be a PDF file, this one fooled quite a number of people.

Multimania quickly shutdown the account "yahoophoto" once it was understood what was
happening. After that the attack more or less ran itself out. While it continued to spread via network shares inside of large corporate networks, the email based component was a dud after that point.

No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.