Here you have - Virus!!!

[dranfu]

I work for a company that has not yet admitted that it was hit by this virus, but we were today, and it was insane! Literally, some of our users out-boxes were stuffed with up to 97,000 spam messages waiting to be sent out. It literally infected almost everyone.

And now after reading this story, it looks like it is happening to a lot of F-100 companies.
This is very scary, and just proves that no matter how much progress is made in information security, the bad guys always come up with something new.

'Here you have...' virus hits major companies - Technology & science - Security - msnbc.com

 

[zigzag3143]

Not all that unusual. But they should have had some build in slutions. Maybe next time they will be ready


Ken

 

[Lemur]

It wasn't clicking on the email, but the email link. We try to educate our people not to respond to unsolicited email. But you can knock your head against a wall and get the same result. Sometimes, the user is the most dangerous component of a system.

 

[dranfu]

the user is the most dangerous component of a system.

That is true, without a doubt. But look at it from a user's perspective. They do business all day by email. And if they receive an email from someone on their contact list that says "here you go" or "here you are" and then talks about a document they were looking for, all they are going to do is click on it, and get on with business. And even more to the point, these emails the users were getting are coming from people on their contact list, from within their trusted corporate network--why would they not click it?

They aren't going to analyze it, they aren't going to check the properties of the link and see where its pointing to, they are just going to click. The problem is, these Fortune 100 companies are not even close to as secure as they want the world to believe they are. That is the real problem.

 

[dranfu]

Virus Total Report: These are the engines that as of roughly 6pm today can actually identify it as a threat:

0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware.
File name: PDF_Document21_025542010_pdf.scr
Submission date: 2010-09-09 18:52:15 (UTC)
Current status: finished
Result: 13 /43 (30.2%)
VT Community

not reviewed
Safety score: -
Compact
Print results
Antivirus Version Last Update Result
AhnLab-V3 2010.09.09.01 2010.09.09 Malware/Win32.Trojan Horse
AntiVir 8.2.4.50 2010.09.09 -
Antiy-AVL 2.0.3.7 2010.09.09 -
Authentium 5.2.0.5 2010.09.09 W32/VBTrojan.17E!Maximus
Avast 4.8.1351.0 2010.09.09 -
Avast5 5.0.594.0 2010.09.09 -
AVG 9.0.0.851 2010.09.09 -
BitDefender 7.2 2010.09.09 Gen:Trojan.Heur.rm0@fnBStPoi
CAT-QuickHeal 11.00 2010.09.09 -
ClamAV 0.96.2.0-git 2010.09.09 -
Comodo 6027 2010.09.09 -
DrWeb 5.0.2.03300 2010.09.09 WIN.WORM.Virus
Emsisoft 5.0.0.37 2010.09.09 Gen.Trojan!IK
eSafe 7.0.17.0 2010.09.07 -
eTrust-Vet 36.1.7844 2010.09.09 -
F-Prot 4.6.1.107 2010.09.01 W32/VBTrojan.17E!Maximus
F-Secure 9.0.15370.0 2010.09.09 Gen:Trojan.Heur.rm0@fnBStPoi
Fortinet 4.1.143.0 2010.09.09 -
GData 21 2010.09.09 Gen:Trojan.Heur.rm0@fnBStPoi
Ikarus T3.1.1.88.0 2010.09.09 Gen.Trojan
Jiangmin 13.0.900 2010.09.09 -
K7AntiVirus 9.63.2483 2010.09.09 -
Kaspersky 7.0.0.125 2010.09.09 -
McAfee 5.400.0.1158 2010.09.09 Generic.dx!tsp
McAfee-GW-Edition 2010.1B 2010.09.09 Artemis!2BDE56D8FB2D
Microsoft 1.6103 2010.09.09 -
NOD32 5438 2010.09.09 probably unknown NewHeur_PE
Norman 6.06.06 2010.09.09 -
nProtect 2010-09-09.03 2010.09.09 -
Panda 10.0.2.7 2010.09.09 Suspicious file
PCTools 7.0.3.5 2010.09.09 -
Prevx 3.0 2010.09.09 -
Rising 22.64.03.01 2010.09.09 -
Sophos 4.57.0 2010.09.09 -
Sunbelt 6853 2010.09.09 -
SUPERAntiSpyware 4.40.0.1006 2010.09.09 -
Symantec 20101.1.1.7 2010.09.09 -
TheHacker 6.7.0.0.012 2010.09.09 -
TrendMicro 9.120.0.1004 2010.09.09 -
TrendMicro-HouseCall 9.120.0.1004 2010.09.09 -
VBA32 3.12.14.0 2010.09.08 -
ViRobot 2010.9.8.4031 2010.09.09 -
VirusBuster 12.64.26.0 2010.09.09 -

 

[dranfu]

Looks like this thing may be trying to create a botnet, too. It just keeps getting better

'Here You Have' Email

 

[Lemur]

Looks like this thing may be trying to create a botnet, too. It just keeps getting better

'Here You Have' Email

I just sent my network admin a heads up. Not that universities have anything to worry about...

 

[dranfu]

Looks like this thing may be trying to create a botnet, too. It just keeps getting better

'Here You Have' Email

I just sent my network admin a heads up. Not that universities have anything to worry about...

Lol. Oh, no. The universities will definitely be safe

Macafee has made a stinger (stand alone virus scanner) version just for the virus, if you want to run it on your network: http://vil.nai.com/vil/vbm/stinger.exe

Also, definately check out the threat reports from ThreatExpert - Automated Threat Analysis. They have a bunch of behavior reports (reg keys created/modified, file manipulated, etc.) on the virus.

For example there are, of course, a bunch of image execution entries for svchost, so that when svchost is ran, some malware also gets ran. Example

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\00hoeav.com]
Debugger = "%Windir%\svchost.exe"

All I know is that tomorrow is going to be a hell of a day.

 

[Lemur]

I just sent a network-wide email. I wonder how many people will still ignore it? :shock:

 

[dranfu]

I just sent a network-wide email. I wonder how many people will still ignore it? :shock:

LOL. You are cracking me up today. Nobody is going to want to open any emails now. They're going to call IS for every single legitimate email that looks even a bit strange.

Oh Joy.

 

[Lemur]

I just sent a network-wide email. I wonder how many people will still ignore it? :shock:

LOL. You are cracking me up today. Nobody is going to want to open any emails now. They're going to call IS for every single legitimate email that looks even a bit strange.

Oh Joy.

Oh, you want to crack up? How about yesterday our univ. president announcing his departure at 3 p.m., and a campus-wide email announcing the president will be making a speech at 3 p.m., only it arrives an hour later?

 

[dranfu]

Oh, no, that's sad. Did he make the speech at 3pm?

 

[Lemur]

Oh, no, that's sad. Did he make the speech at 3pm?

He did. Those in the know were told it was going to be on television, but he did a webcast instead.

 

[dranfu]

Wow. LOL. I shouldn't laugh.

 

[Keiichi25]

Well, I think there was a mentioning of Intel getting hammered with it and was offline as well.

Just goes to show that the level of Computer Security Education is as high as the education level in the US... Which is an all time low.

My only criticism is the fact that the way the computer has now been treated like it is now like a refrigerator (And yes... there was one person who did call tech support somewhere a long time ago and thought the computer just worked by plugging it in.) People treat it now like a black box and not really take into consideration a lot of things they shouldn't do.

The last job I was at, I would send out messages about that, and what gauls me more is the fact that there are Mac and Linux people who say, "We don't have viruses" and the fact is, actually you do... Not as prolific as Windows now, but you do have issues that you can't sit there like you are in a fortress of solitude and the most likely vector of any virus or malware is going to be the part of the computer that exists between the Keyboard and Chair!

 

[Shadowjk]

URGENT- Email Virus with the Subject "Here You Have"

Please read and digest – and make sure you home anti-virus software is up to date!


Many thanks
Josh

All


The ABF Shared Service Centre have been tracking a new, malicious computer virus that spreads using an e-mail attack. The Virus is beginning to become more widespread.



The virus arrives via e-mail and has a subject line of “Here You Have” and asks the recipient to click on a link embedded in the e-mail. This link points to a malicious program file disguised as a PDF (Adobe Acrobat) file.



When the user clicks on this link, their computer instantly downloads and launches the Virus. This process also installs the virus onto the victim’s computer without the user knowing!



Once running on the computer, the Virus attempts to e-mail a copy of the original e-mail to all e-mail addresses found in the infected user’s e-mail address book.



The Virus also attempts to spread from computer to computer over the local network (to other machines on your home or office network) by copying itself to open drive shares found on other machines on the network.



Once the Virus copies itself to another machine, if a user opens the folder that contains the Virus on this new machine, this will launch and cause it to spread further through both e-mail and over shared drives.



To mitigate the risk to the ABF Infrastructure, we have confirmed that both our Perimeter Email Protection system and our Symantec Anti Virus Solution, running the latest updates, will detect and eradicate the Virus.



If you receive an email with the subject line “Here You Have”, it should be deleted immediately.

 

[Shadowjk]

Sorry But The Bottom half of the Post should be In Quotes