Here you have - Virus!!!

I work for a company that has not yet admitted that it was hit by this virus, but we were today, and it was insane! Literally, some of our users out-boxes were stuffed with up to 97,000 spam messages waiting to be sent out. It literally infected almost everyone.

And now after reading this story, it looks like it is happening to a lot of F-100 companies.
This is very scary, and just proves that no matter how much progress is made in information security, the bad guys always come up with something new.

'Here you have...' virus hits major companies - Technology & science - Security - msnbc.com

It wasn't clicking on the email, but the email link. We try to educate our people not to respond to unsolicited email. But you can knock your head against a wall and get the same result. Sometimes, the user is the most dangerous component of a system.

the user is the most dangerous component of a system.

That is true, without a doubt. But look at it from a user's perspective. They do business all day by email. And if they receive an email from someone on their contact list that says "here you go" or "here you are" and then talks about a document they were looking for, all they are going to do is click on it, and get on with business. And even more to the point, these emails the users were getting are coming from people on their contact list, from within their trusted corporate network--why would they not click it?

They aren't going to analyze it, they aren't going to check the properties of the link and see where its pointing to, they are just going to click. The problem is, these Fortune 100 companies are not even close to as secure as they want the world to believe they are. That is the real problem.

Virus Total Report: These are the engines that as of roughly 6pm today can actually identify it as a threat:

0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware.
File name: PDF_Document21_025542010_pdf.scr
Submission date: 2010-09-09 18:52:15 (UTC)
Current status: finished
Result: 13 /43 (30.2%)
VT Community

not reviewed
Safety score: -
Compact
Print results
Antivirus Version Last Update Result
AhnLab-V3 2010.09.09.01 2010.09.09 Malware/Win32.Trojan Horse
AntiVir 8.2.4.50 2010.09.09 -
Antiy-AVL 2.0.3.7 2010.09.09 -
Authentium 5.2.0.5 2010.09.09 W32/VBTrojan.17E!Maximus
Avast 4.8.1351.0 2010.09.09 -
Avast5 5.0.594.0 2010.09.09 -
AVG 9.0.0.851 2010.09.09 -
BitDefender 7.2 2010.09.09 Gen:Trojan.Heur.rm0@fnBStPoi
CAT-QuickHeal 11.00 2010.09.09 -
ClamAV 0.96.2.0-git 2010.09.09 -
Comodo 6027 2010.09.09 -
DrWeb 5.0.2.03300 2010.09.09 WIN.WORM.Virus
Emsisoft 5.0.0.37 2010.09.09 Gen.Trojan!IK
eSafe 7.0.17.0 2010.09.07 -
eTrust-Vet 36.1.7844 2010.09.09 -
F-Prot 4.6.1.107 2010.09.01 W32/VBTrojan.17E!Maximus
F-Secure 9.0.15370.0 2010.09.09 Gen:Trojan.Heur.rm0@fnBStPoi
Fortinet 4.1.143.0 2010.09.09 -
GData 21 2010.09.09 Gen:Trojan.Heur.rm0@fnBStPoi
Ikarus T3.1.1.88.0 2010.09.09 Gen.Trojan
Jiangmin 13.0.900 2010.09.09 -
K7AntiVirus 9.63.2483 2010.09.09 -
Kaspersky 7.0.0.125 2010.09.09 -
McAfee 5.400.0.1158 2010.09.09 Generic.dx!tsp
McAfee-GW-Edition 2010.1B 2010.09.09 Artemis!2BDE56D8FB2D
Microsoft 1.6103 2010.09.09 -
NOD32 5438 2010.09.09 probably unknown NewHeur_PE
Norman 6.06.06 2010.09.09 -
nProtect 2010-09-09.03 2010.09.09 -
Panda 10.0.2.7 2010.09.09 Suspicious file
PCTools 7.0.3.5 2010.09.09 -
Prevx 3.0 2010.09.09 -
Rising 22.64.03.01 2010.09.09 -
Sophos 4.57.0 2010.09.09 -
Sunbelt 6853 2010.09.09 -
SUPERAntiSpyware 4.40.0.1006 2010.09.09 -
Symantec 20101.1.1.7 2010.09.09 -
TheHacker 6.7.0.0.012 2010.09.09 -
TrendMicro 9.120.0.1004 2010.09.09 -
TrendMicro-HouseCall 9.120.0.1004 2010.09.09 -
VBA32 3.12.14.0 2010.09.08 -
ViRobot 2010.9.8.4031 2010.09.09 -
VirusBuster 12.64.26.0 2010.09.09 -

Looks like this thing may be trying to create a botnet, too. It just keeps getting better

'Here You Have' Email

dranfu said:

Looks like this thing may be trying to create a botnet, too. It just keeps getting better

'Here You Have' Email

I just sent my network admin a heads up. Not that universities have anything to worry about...

Lemur said:

dranfu said:

Looks like this thing may be trying to create a botnet, too. It just keeps getting better

'Here You Have' Email

I just sent my network admin a heads up. Not that universities have anything to worry about...

Lol. Oh, no. The universities will definitely be safe :)

Macafee has made a stinger (stand alone virus scanner) version just for the virus, if you want to run it on your network: http://vil.nai.com/vil/vbm/stinger.exe

Also, definately check out the threat reports from ThreatExpert - Automated Threat Analysis. They have a bunch of behavior reports (reg keys created/modified, file manipulated, etc.) on the virus.

For example there are, of course, a bunch of image execution entries for svchost, so that when svchost is ran, some malware also gets ran. Example

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\00hoeav.com]
Debugger = "%Windir%\svchost.exe"

All I know is that tomorrow is going to be a hell of a day.

I just sent a network-wide email. I wonder how many people will still ignore it?

Lemur said:

I just sent a network-wide email. I wonder how many people will still ignore it?

LOL. You are cracking me up today. Nobody is going to want to open any emails now. They're going to call IS for every single legitimate email that looks even a bit strange.

Oh Joy.