Contact Us Today! (215) 853-2266

Bardissi Enterprises Blog

Bardissi Enterprises has been serving the Hatfield area since 2000, providing IT Support such as technical helpdesk support, computer support, and consulting to small and medium-sized businesses.

Supposedly Wide-Spread Email Worm Making Headlines

“Here you have” Email contains fake and malicious PDF or WMV links

Severity: Medium

Virus/Worm Summary:
Subject lines to avoid: include “Here you have,” or “Just for you,” and “This is the Free Dowload (sic) Sex Movies, you can find it Here”

Malicious email attachment: contains supposed links to PDF or WMV files, which actually link to malicious .SCR files

Impact: Spreads via your email contacts and through network shares. Infects your computer with various malware, and potentially steals information What to do: Make sure you are using updated antivirus software, and block .SCR files at your gateway (see below for details) “Here you have” Email contains fake and malicious PDF or WMV links

Severity: Medium

Virus/Worm Summary:
Subject lines to avoid: include “Here you have,” or “Just for you,” and “This is the Free Dowload (sic) Sex Movies, you can find it Here”

Malicious email attachment: contains supposed links to PDF or WMV files, which actually link to malicious .SCR files

Impact: Spreads via your email contacts and through network shares. Infects your computer with various malware, and potentially steals information What to do: Make sure you are using updated antivirus software, and block .SCR files at your gateway (see below for details)

About the Virus:
Late yesterday, various antivirus (AV) vendors began receiving reports of a new mass-mailing email worm, generally called VBMania, which arrives with various subjects including, “Here you have.” Today, others in the press have jumped on the bandwagon and published many shrill reports [ 1 / 2 / 3 ] that describe this worm as an outbreak and suggest it has flooded inboxes worldwide. While we don’t doubt that attackers have aggressively seeded this malicious email using spamming techniques (and likely a botnet), we haven’t yet seen the worm in our own inbox. There are reports of it affecting some well known companies. However, it doesn’t seem to be as wide-spread as the big worms of the past (Nimba, etc). In fact, most antivirus (AV) companies still only rate this worm as only a medium risk. While you should make yourself, and your users, aware of this new worm, it doesn’t offer reason for panic.

Unfortunately, the lack of coordination among AV vendors’ naming conventions makes it difficult to track these worms. While the media generally refers to this as the “Here you have” worm, AV vendors have given this worm a variety of names including:
  • Email-Worm.Win32.VBMania.a (Kaspersky) W32/VBMania@MM (McAfee) W32.Imsolk.B@mm (Symantec) Gen:Trojan.Heur.rm0@fnBStPoi (F-Secure) W32/Autorun-BHO (Sophos) WORM_MEYLME.B (TrendMicro) For simplicity sake, we will refer to this worm as VBMania.
Distinguishing Characteristics
Despite the media hype surrounding this new worm, it doesn’t seem to use any new techniques that would allow it spread any more quickly than a typical email worm. In fact it seems to call back to older malicious email techniques, some saying it shares similarities with the older ILoveYou and Anna Kournikova worms from 2000 and 2001. We describe some of VBMania’s distinguishing characteristics below.

VBMania arrives as an email with the following Subject lines:
Here you have
Just for you
This is The Free Dowload Sex Movies,you can find it Here.

The body of the worm contains some text describing either a document or movie. It also includes a link to what appears to be a PDF document or WMV movie file. However, if you actually click the link, it attempts to get you to download a malicious .SCR screensaver file. An example of the malicious SCR file might include:
  • PDF_Document21_025542010_pdf.scr If you run the malicious .SCR file it:
Copies itself to the Windows directory as CSRSS.EXE (not to be confused with the real CSRSS.EXE in your Windows system directory) and adds registry entries to make sure it can restart after your next reboot Sends itself to your email contacts and IM buddies
Copies itself to mapped drives and removable USB media (uses AUTORUN tricks as well)
Tries to lower your computer’s security by disabling many popular security applications

Downloads and installs various malware (likely including a botnet trojan)

Steals sensitive information (including passwords from web browsers)
VBMania doesn’t really use any tricks that you haven’t seen before. You should have no problems distinguishing this worm in your inbox, and avoiding it. However, attackers seem to have spammed this worm very aggressively. If one of your users does accidentally run its malicious file, they could cause a lot of damage to your network. Make sure to inform your users of this new email worm so they know to avoid it. However, you don’t need to panic over this new threat, despite what the media may suggest.

What you can do
As always, remind your users never to open unexpected attachments or click on unexpected web links from any source. Inform them that most modern viruses falsify the “From” field and can appear to come from friends, co-workers, or other trusted parties.

Most major antivirus vendors already have signatures that detect this worm. Check with your vendor for the latest update.

Educate your users by downloading and presenting the new SecurityWise module, “E-mail Safety in the Age of Cybercrime.” This resource is available free of charge, exclusively to LiveSecurity Service subscribers.
 

Comments

No comments made yet. Be the first to submit a comment
Already Registered? Login Here
Guest
Tuesday, 24 December 2024
If you'd like to register, please fill in the username, password and name fields.

Captcha Image

Mobile? Grab this Article!

QR-Code dieser Seite

Blog Archive

Recent Comments

Tip of the Week: Which Headphones are Right for Your Needs?
23 April 2018
I will recommend Plantronics Backbeat Pro 2 SE Noise cancelling Headset with it's Great features.
Gamification: Make Business Fun for Everyone
27 January 2017
The world is based on the games. There are many types of games as per the aussie essay writing servi...
Let's Talk Tablets
12 January 2017
The concept of tablet is far better than that of PC because you can bring them with you everywhere a...
Tip of the Week: Tweak Your Workday in These 4 Ways and See Major Results
12 January 2017
The only thing will I will say regarding this blog is that it is very helpful at least for me. As I ...
WatchGuard Releases Version 10.2.7 for WSM, Edge, Fireware, and Fireware Pro
23 December 2016
I really needed to know about the fireware but i was confused that where can i find information abou...