Members
  • Total Members: 14176
  • Latest: toxxxa
Stats
  • Total Posts: 42862
  • Total Topics: 16071
  • Online Today: 1319
  • Online Ever: 51419
  • (01. January 2010., 10:27:49)









Author Topic: Fast-moving email worm start to spread on Thursday (W32.Imsolk.A@mm worm, .scr)  (Read 11330 times)

0 Members and 1 Guest are viewing this topic.

Samker

  • SCF Administrator
  • *****
  • Posts: 7528
  • KARMA: 322
  • Gender: Male
  • Whatever doesn't kill us makes us stronger.
    • SCforum.info - Samker's Computer Forum


A fast-moving email worm that began spreading on Thursday has been able to affect hundreds of thousands of computers worldwide, anti-virus provider Symantec warned.

The email arrives with the subject “Here you have.” An executable screensaver that's disguised as a PDF document then tries to send the same message to everyone listed in the recipient's address book. The .scr file is a variation of the W32.Imsolk.A@mm worm Symantec discovered last month: http://www.symantec.com/security_response/writeup.jsp?docid=2010-082013-3322-99

In addition to spreading through email, it can propagate through mapped drives, autorun and instant messenger. It also has the ability to disable various security programs.

The worm is a throwback to attacks not seen in almost a decade, when the Anna Kournikova and I Love You attacks wreaked havoc on email systems worldwide. The Here You Go worm appears to different in that the malicious payload is downloaded from a page on members.multimania.com, rather than being attached to the email. That could make efforts to eradicate the worm easier.

Then again, McAfee said multiple variants of the worm appear to be spreading, so it's not yet clear that the malicious screensaver is hosted by a single source.

More from Symantec and McAfee here: http://www.symantec.com/connect/blogs/new-round-email-worm-here-you-have and here: http://www.avertlabs.com/research/blog/index.php/2010/09/09/widespread-reporting-of-here-you-have-virus/

(ElReg)

Samker's Computer Forum - SCforum.info


AllSecurityUp

  • SCF Member
  • **
  • Posts: 39
  • KARMA: 10
    • Free Virus Spyware Adware Registry Scan
Rather nasty payload on that one. Good for you to post this as worms, or EMail malware generally, can sometimes be avoided by user vigilance especially about watching out for specific subject lines.

Aside from user's own security software and vigilance, user should also try to use an EMail provider that pre-screens EMails for malware as well.

Good post Samker.
Think before you think you'll do something.
Easy PC Security Tips

Samker

  • SCF Administrator
  • *****
  • Posts: 7528
  • KARMA: 322
  • Gender: Male
  • Whatever doesn't kill us makes us stronger.
    • SCforum.info - Samker's Computer Forum
Good post Samker.

Tnx ASU.  :thumbsup:


We'll continue to cover this Topic with latest news about "Here you have" worm.




Samker

  • SCF Administrator
  • *****
  • Posts: 7528
  • KARMA: 322
  • Gender: Male
  • Whatever doesn't kill us makes us stronger.
    • SCforum.info - Samker's Computer Forum

Cisco: 'Here You Have' Worm Caused Brief Havoc

The "Here you have" worm that clogged e-mail systems on Thursday briefly caused one of the worst spam outbreaks of 2010, according to Cisco Systems.

For a few hours -- between 17:45 and 20:30 GMT -- the worm accounted for between 6 percent and 14 percent of all spam measured by Cisco's IronPort group.

It was the biggest spam outbreak since scammers pounced on the iPad launch back in March to try to trick people into visiting malicious websites, said Nilesh Bhandari, a product manager with Cisco. "That is humongous," he said.

"Here you have" spread primarily via e-mail, in messages that tried to entice victims into visiting a website that would install a malicious script on their computers. That script then scoured the victim's Outlook contacts list and sent similar messages to new victims. The worm also spread over the network, using a special PsExec script and via USB drives.

The worm's advance has been halted now for two reasons: Antivirus companies have added detection for the worm, and the website that hosted the malicious script has been taken offline. Cisco's data shows that by 12:00 GMT Friday it accounted for virtually none of the spam Cisco was tracking.

The worm primarily affected business networks in the U.S., Microsoft said in an analysis of the incident, posted late Friday. "For the first twelve hours of attack activity we monitored, 91% of the infections and infection attempts were reported from our corporate clients--the opposite of the pattern we normally see": http://blogs.technet.com/b/mmpc/archive/2010/09/10/update-on-the-here-you-have-worm-visal-b.aspx

It reportedly slowed down networks at Disney, Procter & Gamble, Wells Fargo and NASA.

This type of mass-mailing worm has largely been off the radar since the days of the Anna Kournikova and I Love You outbreaks in the early 2000s, but security experts say there are a few unusual things about "Here You Have."

There are several signs that may link it to a Libyan jihadist hacker named Iraq Resistance, SecureWorks said on Friday:

Quote
Much of the worm's code is identical to an earlier piece of malware that was released last month, and both worms refer to a Libyan hacker who uses the name Iraq Resistance, who has been trying to form a hacking group called Brigades of Tariq ibn Ziyad, said Joe Stewart, director of malware research with SecureWorks.

"Either this person is involved with this virus, or somebody wants to make it seem like this person's group is involved in this virus," Stewart said. "There are a lot of pointers to that group."

The goal of Tariq ibn Ziyad is "to penetrate U.S. agencies belonging to the U.S. Army," Iraq Resistance said, according to a his post announcing the group: http://www.osoud.net/vb/showthread.php?t=30779

Google translation: http://translate.google.com/translate?js=n&prev=_t&hl=en&ie=UTF-8&layout=2&eotf=1&sl=auto&tl=en&u=http%3A%2F%2Fwww.osoud.net%2Fvb%2Fshowthread.php%3Ft%3D30779


Most agree that the worm is not particularly sophisticated. Its success shows that it's still possible to infect a lot of computers by finding ways to trick people into doing things they shouldn't -- such as clicking on links and running malicious files. "[It] just shows that the human exploit is the easiest vector," said Alex Lanstein, a researcher with security vendor FireEye, in an e-mail message.

(PCW)



If you suspect that you're infected with "Here you have" worm, please visit SCF's "PC Help Center" and open new Topic with request for help...: http://scforum.info/index.php?action=forum



AllSecurityUp

  • SCF Member
  • **
  • Posts: 39
  • KARMA: 10
    • Free Virus Spyware Adware Registry Scan
Samker do you know why did this one still had some effect when known in advance, was it variants?

Excellent point at the end "...  finding ways to trick people into doing things they shouldn't -- such as clicking on links ..." this still amazes me.
Think before you think you'll do something.
Easy PC Security Tips

Samker's Computer Forum - SCforum.info


Samker

  • SCF Administrator
  • *****
  • Posts: 7528
  • KARMA: 322
  • Gender: Male
  • Whatever doesn't kill us makes us stronger.
    • SCforum.info - Samker's Computer Forum
Samker do you know why did this one still had some effect when known in advance, was it variants?


This is still unclear... ??? , because of that We closely watch this threat.


AllSecurityUp

  • SCF Member
  • **
  • Posts: 39
  • KARMA: 10
    • Free Virus Spyware Adware Registry Scan
Thanks Samker, your my main source on this one.  :thumbsup:

We closely watch this thread.
Think before you think you'll do something.
Easy PC Security Tips

Samker

  • SCF Administrator
  • *****
  • Posts: 7528
  • KARMA: 322
  • Gender: Male
  • Whatever doesn't kill us makes us stronger.
    • SCforum.info - Samker's Computer Forum
"Here You Have" Virus

A hacker who claims he was behind a fast-spreading e-mail worm that crippled corporate networks last week said that the worm was designed, in part, as a propaganda tool.

The hacker, known as Iraq Resistance, responded to inquiries sent to an e-mail address associated with the "Here you have" worm, which during a brief period early Thursday accounted for about 10 percent of the spam on the Internet. He (or she) revealed no details about his identity, but said, "The creation of this is just a tool to reach my voice to people maybe... or maybe other things."

He said he had not expected the worm to spread as broadly as it had, and noted that he could have done much more damage to victims. "I could smash all those infected but I wouldn't," said the hacker. "I hope all people understand that I am not negative person!" In other parts of the message, he was critical of the U.S. war in Iraq.

On Sunday, Iraq Resistance posted a video echoing these sentiments and complaining, through a computer-generated voice (above), that his actions were not as bad as those of Terry Jones. Jones is the pastor at a small Florida church who received worldwide attention this week for threatening to burn copies of the Koran.

Security experts agree that the worm could have caused more damage. However, it did include some very malicious components, such as password logging software and a backdoor program that could have been used to allow its creator to control infected machines. But because the software was not terribly sophisticated, it was quickly shut down as Web servers that it used to infect machines and issue new commands were taken offline last week.

"Here you have" spread when victims clicked on a Web link and then allowed a malicious script to run on their computer.It is the more-successful follow-up to an August worm that included the e-mail address that Iraq Resistance used to communicate with the IDG News Service: http://www.symantec.com/security_response/writeup.jsp?docid=2010-082013-3322-99&tabid=2

According to Cisco, the worm accounted for between 6 percent and 14 percent of the world's spam for a few hours Thursday. It primarily gummed up corporate e-mail networks in the U.S.

It is the first worm in years to have such a widespread and noisy effect, hearkening back to the days of the Anna Kournikova worm. Nowadays, most malware writers don't want to draw attention to their activities, because they generally want to keep their malicious software hidden away on victims' computers as long as possible.

Disney, Proctor and Gamble, Wells Fargo and the U.S. National Aeronautics and Space Administration (NASA) are among the organizations reported to have been hit by the worm.

SecureWorks Researcher Joe Stewart believes that Iraq Defense is a Libyan hacker who is trying to gain followers for a cyber jihad hacking group called Brigades of Tariq ibn Ziyad.

Tariq ibn Ziyad was the eighth century commander who conquered much of Spain on behalf of the Umayyad Caliphate. Iraq Resistance's YouTube video has a Spanish theme too. It shows a map of Andalucia, and Iraq Resistance lists his location as "Spain" in his YouTube profile.

In his e-mails, Iraq Resistance did not answer questions about his identity, saying that he was worried about his safety. "I think this information is enough for you and having more looks like [an] investigation," he said. "I don't see myself that criminal."

(PCW)

krrjhn

  • SCF Advanced Member
  • ***
  • Posts: 213
  • KARMA: -5
Thanks samker you always rocks !!

Samker's Computer Forum - SCforum.info


 

With Quick-Reply you can write a post when viewing a topic without loading a new page. You can still use bulletin board code and smileys as you would in a normal post.

Name: Email:
Verification:
Type the letters shown in the picture
Listen to the letters / Request another image
Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters):www.scforum.info:

Enter your email address to receive daily email with 'SCforum.info - Samker's Computer Forum' newest content:

Terms of Use | Privacy Policy | Advertising