'Here You Have It' Worm Strikes Email Inboxes

Using a Windows screensaver file containing malicious code, the mass-mailing worm can disable some antivirus programs and move via email and local networks.
Ten years after the heyday of email worms, trading on such topics as love letters and Anna Kournikova, they're back. A new worm with the subject line of "Here you have" and "Just for you" is exploiting PC users' address books to rapidly spread, and has reportedly affected numerous organizations, including ABC, Coca-Cola, Comcast, Google and NASA.

The body of the email pretends to offer links to documents or adult movies. But according to Symantec, "this link actually points to a malicious program file that is disguised as a PDF file, hosted on the Internet." In fact, the PDF is a .scr -- Windows screensaver -- file containing malicious code, and executing it installs a worm on the user's computer.

"Screen saver (.scr) files have long been blocked as attachments, which is why this worm uses links," said Sean Sullivan, a security researcher at F-Secure.

Thursday, the U.S. Computer Readiness Team (US CERT) issued an incident report warning that, "These attacks have the potential to prevent, at a minimum, the efficient operations of U.S. Government email systems."

When the worm infects a system, it first attempts to disable any antivirus programs that are running. Next, it emails everyone in the user's Outlook address book with a copy of the malicious message, and propagates to any open network shares on the local area network. Simply opening the folder containing the malware on the target computer will also cause that PC to become infected.

"The intention of the attack appears to be to steal information," said Graham Cluley, senior technology consultant at Sophos. Indeed, some of the malware components downloaded during the attack extract passwords from other applications on the PC, including browsers and email clients.

"This is something of a return to the malware attacks of yesteryear -- where hackers didn't care whose computers they hit, they just wanted to infect as many as possible," he said.

To mitigate the threat, Symantec recommends disabling network sharing, local network access and Internet access for infected computers as well as blocking all outbound traffic to domains and IP addresses involved in the attack, to prevent the attack from downloading malware, even if users click the link.

Thankfully, however, the .scr file used in the initial attack no longer appears to be online. "The original file seems to have been removed, so further infections from the initial variant should not occur, but new variants may well follow," said Marcus H. Sach, director of the SANS Internet Storm Center.

Editors' Choice
Jai Vijayan, Contributing Writer, Dark Reading
Kelly Jackson Higgins 2, Editor-in-Chief, Dark Reading