NY.gov Portal State Agency Listing
The following cyber advisory was issued by the New York State Office of Information Technology Services and is intended for State government entities. The information may or may not be applicable to the general public and, accordingly, the State does not warrant its use for any specific purposes.

ITS ADVISORY NUMBER:
2010-076

DATE(S) ISSUED:
9/10/2010

SUBJECT:
Here You Have - Email Worm

OVERVIEW:

A mass mailing worm has recently been propagating aggressively across the Internet with the subject lines "Here you have" or "Just For you". The email includes a link disguised to look like a .PDF or a .WMV file, but is actually a link to a .SCR file that contains malicious code. Clicking on the malicious hyperlink will result in compromise of the affected machine and spread of the mass mailing worm to other computers.

In addition to the media accounts of impacted businesses, we have received reports that several states that have been impacted by this mass mailing email worm.

SYSTEMS AFFECTED:

  • Microsoft Windows Operating Systems

RISK:
Government:

  • Large and medium government entities: High
  • Small government entities: High

Businesses:

  • Large and medium business entities: High
  • Small business entities: High

Home users: High

DESCRIPTION:
A mass mailing worm has recently been propagating aggressively across the Internet with the subject lines "Here you have" or "Just For you". The email includes a link disguised to look like a .PDF or a .WMV file, but is actually a link to a .SCR file that contains malicious code.

When a user clicks on the hyperlink, the supplied code will run and install an executable file in the Windows directory as CSRSS.EXE. The executed malware will then attempt to deactivate the user's anti-virus and propagate by emailing all of the contacts in the infected user's address book. It will attempt to connect to various malicious websites and force affected systems to share several folders in the C:\Windows\System directory. The malware will attempt to access remote machines. If it is successful in obtaining access, it will attempt to put a .SCR file with the name of "N73.Image12.03.2009.JPG.scr" on the root directory of the remote machine. The malware can also spread through mapped drives and removable media via Autorun replication.

An example of the email format has been included below:

<< 
Subject: Here you have or Just For you
Body:

Hello:

This is The Document I told you about,you can find it Here.
hxxp://www[dot]sharedocuments[dot]com/library/PDF_Document21[dot]025542010[dot]pdf

Please check it and reply as soon as possible.

Cheers,

or

Hello:

This is The Free Dowload Sex Movies,you can find it Here.
hxxp://www[dot]sharemovies[dot]com/library/SEX21[dot]025542010[dot]wmv
Enjoy Your Time.

Cheers,
>> 

Please note that the two known malware distribution servers appear to have been taken down. This should result in mitigation of some of the risk from this threat. However, we advise that users follow the recommendations contained below.

RECOMMENDATIONS:
We recommend the following actions be taken:

  • Block access to hxxp://members[dot]lycos[dot]co[dot]uk/iqreporters/* and hxxp://members[dot]multimania[dot]co[dot]uk/yahoophoto/*
  • Block emails with the subject 'Here you have' and 'Just For you' and links to '.SCR' files. 
  • Ensure that all anti-virus software is up to date.
  • Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  • Ensure that auto-run is disabled and that network drives are password protected and read-only wherever possible.

REFERENCES:
Trend Micro:
http://blog.trendmicro.com/old-malware-out-of-its-shell/

Avert Labs:
http://www.avertlabs.com/research/blog/index.php/2010/09/09/widespread-reporting-of-here-you-have-virus/

SANS:
http://isc.sans.edu/diary.html?storyid=9529

Threat Expert:
http://www.threatexpert.com/report.aspx?md5=2bde56d8fb2df4438192fb46cd0cc9c9
http://www.threatexpert.com/report.aspx?md5=bd9208edf44d0ee32b974a2d9da7bc61

Symantec:
http://www.symantec.com/security_response/writeup.jsp?docid=2010-082013-3322-99&tabid=2
http://www.symantec.com/connect/blogs/new-round-email-worm-here-you-have
http://www.symantec.com/business/security_response/writeup.jsp?docid=2010-090922-4703-99&tabid=2