Firms Warn Of Old Style Worms In Emails

Security firms are warning of an old-style worm transferred via email that is spreading rapidly.

The malware uses email attachments with the subject line "Here you have" to spread and contyains a .scr file disguised as a PDF. The email asks the recipient to check the contents, whcih activates the malware. The attack has spread quickly, with a reported 60,000 infections including outbreaks at ABC/Disney, Google, Coca Cola and NASA.

Click here to find out more!

"The .scr when executed downloads a number of additional tools, one of which appears to attempt to check in with a potential controller," said Marcus Sachs, director of the SANS Institute in an advisory.

"The name associated the controller has been sink-holed. The malware attempts to deactivate most anti-virus packages and uses the infected user's Outlook to send out its spam."

According to McAfee the malware installs an application named CSRSS.EXE on the infected machine and then uses email to send itself on as well as via accessible remote machines, mapped drives, and removable media via Autorun replication. It also installs UPX packed password recovery tools (ChromePass, OperaPassview) and a UPX packed Sysinternals tool (PSExec) and a malicious HOSTS file.

The search term "here you have virus email" was one of the top 10 Google searches for the day and such an old fashioned attack seems to have caught many unguarded.

"US-CERT has received multiple reports from a number of federal agencies and private sector entities experiencing an email worm...US-CERT is in the process of collecting and analyzing samples of the malware and has developed and disseminated mitigation strategies," said DHS press secretary Amy Kudwa in a statement.

Malware spread via email attachments was common a decade ago, being used in t he I Love You attacks among others, but professional malware distributors don't use such tactics today to spread malware.

The huge amount of network traffic such worms generate makes them very easy to spot and signature tag by security companies and also alert IT departments that something is wrong. All major security vendors are now blocking the worm.

print this article

Return to security news headlines
View Security News Archive

Share with: