New Email Worm Turns Back the Clock on Virus Attacks

There appears to be an actual email worm in circulation right now, using the tried-and-true infection method of sending malicious emails to all of the names in a user’s email address book.

There appears to be an actual email worm in circulation right now, using the tried-and-true infection method of sending malicious emails to all of the names in a user’s email address book.

As of Friday afternoon, the malicious files had been deleted from the remote server in the UK that was serving as the download site for the malware. This move should effectively limit new infections, although machines that are infected already will continue to send out the emails until they’re cleaned.

The worm arrives via emails with the subject line “Here You Have” or something similar, and the messages contain a link to a site that will download a malicious file to the victim’s PC. The malware then drops itself into the Windows directory with a file name of CSRSS.EXE, which is identical to a legitimate Windows file, according to an analysis by McAfee researchers. 

“The URL does not actually lead to a PDF document, but rather an
executable in disguise, such as PDF_Document21_025542010_pdf.scr served
from a different domain, such as members.multimania.co.uk,” the analysis says.

From there, it’s 2001 all over again, as the worm attempts to mail itself to all of the contacts in the victim’s Outlook address book. The malware also tries to stop any security software or anti-malware programs running on the machine. McAfee’s researchers found that the worm also can spread via network shares and AutoRun.

The SANS Internet Storm Center analysis of the worm says that the original malicious file that was being downloaded during the infection routine looks to have been removed from the remote site involved in the attack. Also, the malware at first was trying to contact a remote server to download other content. That domain has been blackholed, SANS analyst Marcus Sachs said.

This infection routine was made famous and perfected by malware authors in the early part of the 2000s, most notably with mass-mailing viruses such as ILoveYou. The difference with those earlier attacks is that the emails typically carried the malicious file itself and didn’t rely on a link to a downloading site. But the technique used to entice users to click on the attachment or malicious link is the same: Offer the user something he wants to see.

In the case of older viruses, they typically promised pictures of Anna Kournikova or Britney Spears. Now, it’s down to mundane things like “the document I told you about.” There appear to be several variants of the new worm making the rounds already.

Suggested articles

Discussion

  • Anonymous on

    I got one of those emails today at work.  Moused over the link in Outlook 12, saw that it was really a .scr file, and deleted it.

  • Anonymous on

    This hit one of our affiliated corporate networks today around 12pm eastern. It was a mess.

  • DarcBird on

    hah hah hah hah! I'm so happy I'm now using Ubuntu as my main OS! hehehehehe!

  • Anonymous on

    This hit us too, over 300 users fell to the re-format axe. It shares out C:Windowssystem as an SMB share "updates" and drops a file named updates.exe, as well as an autorun.ini file pointing to it. It does the same to any writable file share it finds. Using Linux has nothing to do with it, shut up.
  • Anonymous on

    Were your users administrators?

  • Anonymous on

    administrators users = stupid

    non-windows machines have plenty to do with it

  • Anonymous on

    An Outlook address book? ha ha ha ha ha ha ha ha

  • Anonymous on

    No Microsoft, no problem.

    Poor grumpy Windows users, you have my sympathy! (wipes away tear)

     

     

  • Duffstar on

    Interestingly the McAfee server we have is starting to report malicious files on our Linux workstations more and more. I believe MS users will be laughing in the face of Linux users who think they are impermiable to virus attacks and have no protection

  • Anonymous on

    impermiable is not a word. I think you mean impervious or impenetrable maybe?

  • Anonymous on

     

    It is a word, it was just the wrong one and was spelled incorrectly....

    im·per·me·a·ble/imˈpərmēəbəl/Adjective

    1. Not allowing fluid to pass through: "an impermeable membrane".
    2. Not liable to be affected by pain or distress; insusceptible or imperturbable: "women who appear impermeable to pain".

     

  • Anonymous on

    Actually, it  is a word and it means non-passable.

  • Anonymous on

    I saw this hit the news last night.  They claimed it was hitting everyone hard.  I've yet to see a single instance of it at either place I work or at any of my personal e-mail addresses.

  • Anonymous on

    LINUX can be a host to infected files.  It is possible to receive these emails carrying the link, and it is possible to click the link while in LINUX and initiate a download of the malware.  It is less likely that the malware will be able to penetrate the OS and then be able to spread itself unless the LINUX user is running Outlook via Crossover or Wine.

    This is still a security issue on networks that share files between different operating systems.  Just like a mosquito can carry malaria, not be affected by the virus, but can still transmit the virus to humans.

    From this standpoint it is still a good idea to verify that your files are not malware even on a LINUX system, especially if those files may be transferred to a Windows OS.

  • Anonymous on

     I've been able to do everything using Linux Mint I ever did using Windows.

    I like using IBM Lotus Symphony which is free. It's more refined imo than OpenOffice which it's based on.     

     

  • Anonymous on

    Glad to be using thunderbird on Linux.
  • Anonymous on

    I'm Glad to be using Tbird on Linux but running it as a different user than my login :)
  • Anonymous on

    You guys aren't exactly covering yourselves in glory here.

     

    The issue is some criminals doing serious damage to expensive installations, not abuse of the English language.  If you worked together to do something constructive instead of trying to score preening points off each other then the rest of us could probably get more productive work done.

  • Anonymous on

    This should be marked as a troll.

    Nothing to see here . . . move along . . .

     

  • Anonymous on

    We're MS users but had no problems with any of these emails coming through. Our email traffic is filtered in the cloud with MessageLabs before it hits our exchange servers, so no issues here.

  • Anonymous on

    As usual, you windows guys miss the point. Linux is unaffected by this, even if you download it to a Linux box, you would have to transfer it to a Windows box and some numpty would have to execute it there, deliberately. The problem for Windows is the naïveté/gullibility/stupidity of users coupled with an OS that is far too easy to abuse (that and a truly horrible mail app in M$ Outbreak).

  • Nate on

    And as usual, most *Nix users miss the biggest point while trying the pat themselves on the back.  It's not a Windows versus *Nix issue on how easy it is to infect an OS.  It's about usability.  When any flavor of *Nix becomes the predominant desktop flavor, the vast majority of the virii/worms writen will be targeted that direction.  In short, those that write this crap are looking to cause the maximum amount of damage, and where's the biggest market share?  Oh yeah, Windows...  Side note: how many *Nix users have taught their Grandparents sucessfully how to use Ubuntu/Fedora/etc? 

  • Anonymous on

    Computer "viruses" have been around longer than windows.

    I remember hearing about viruses when i was a kid (pre-windows days), so I did a quick search and.... From Wikipedia:

    "1988

        * ...............................................
        * November 2: The Morris worm, created by Robert Tappan Morris, infects DEC VAX and Sun machines running BSD UNIX connected to the Internet, and becomes the first worm to spread extensively "in the wild", and one of the first well-known programs exploiting buffer overrun vulnerabilities."

    I'm a *nix fan myself. I use Linux for a variety of things, and use FreeBSD as my Desktop. But those, especially in the Linux camp, have enjoyed both not being the "low hanging fruit" and being low enough in numbers not to be attractive targets to your average script kiddie. But that is changing.

    The number of LInux users is growing, and not only that, but thanks to distros like Ubuntu that require very little learning to install and use, the number of users that know NOTHING about their systems is growing. Many of these people running Ubuntu would have no idea whether thier system was infected if it was, or even how to find out!

    One thing I have learned in my years as a computer/network technician is that you CANNOT stop people from infecting their computers. Idiots moving from windows to linux will only create a generation of people infecting their linux computers. Once that happens, those virus/worm/trojan etc... writers will be more than happy to start helping them accomplish that by writing the code, and finding ways to help them get it on their machines.

    Compile that with the fact that microsoft has been "borrowing" security practices from the *nix camp to prevent another security fiasco like we had with XP, and I think we are getting ripe for the time when people start going after our *nix boxes more and more.

    Take a look around, there are already Trojans, keyloggers, IRC bots, etc that run on linux if you look hard enough.

  • Anonymous on

    Outlook blocks .scr files so not a problem with outlook.

  • WareZwolF on

    Right on the money. *N?x is actually easier to hack than windows. Most who master the OS seriously lack security skills. Those that master it and have security skills have never been expressly targeted before.

  • Anonymous on

    My workplace Loblaws has been hit hard by it big time. I've gotten close to a hundred emails yesterday. With all employees contact list numbering in the thousands, everyone is getting hit with it across the country.

  • Anonymous on

    I'm happy you use ubuntu too, teabagger.

  • Anonymous on

    Is my coumputer safe if I use a condom?

  • Anonymous on

     Seems that comp buffs, are v.arrogant...calling peole idiots etc.Sad

  • Anonymous on

    I believe Symantec wasn't blocking this until late Thursday, right?  We installed an update Friday morning.  Seems we lucked out and were not infected as the staff who received the emails didn't click on the link.  If they had, could any existing anti-virus protection have stopped it prior to late Thursday when Symantec issued their Rapid Release update?

  • Anonymous on

    1st email address in my list is a fake (not that I use any M$ email software), this helps to stop some of these type of viruses. I have even seen car computers with viruses (infected on purpose) which could switch off the engine or even effect braking systems. These viruses needed the user to gain physical access to the car to upload the virus but more cars now are coming out with BlueTooth. There are also a lot of mobile phone viruses too. So no matter what OS you may run it still relies on the end user to know their system to help reduce the risk of infection (that said, most users tend to be idiots, and the interfaces tend to treat them like idiots)
  • Anonymous on

    In the real world, no OS is secure. It is just simple numbers. Bigger user of OS makes the OS an easy target. Its like a buck shot gun, just shot and you will hit something coz too many of the users around. Trust me, its soo easy with windows a blind man could do it (a hacker is blind in terms of network awareness).

    Some may not agree that Linux is safer but in general Linux was built from a different angle than windows. Unfortunately that angle is where hackers usually comes in. Fear not, all hope is not lost as I said no OS is secure. Linux is a bit harder but it is possible to hack it.

    To all you here fighthing which is better just stop it. If you are on a windows just keep quiet and use it. Be happy with it, after all you paid for it. Its a good OS btw, Im using it also.

    As for Linux user, dont be too happy and act like you are invincible to virus/worm. Its not. Spend like 12 years with it and you will understand it. What you understand can be dangerous to others.

    Most of the time, its not the OS that is vulnerable. The best hacker in the world dont go brute force attack. What did they use? Go figure :)

  • Anonymous on

    This is pretty scary.... oh well I'm on a mac.

  • Anonymous on

    I've received none of these emails as yet, so must conclude that either

    • I have no friends :-(
    • GMail have detected and blocked it, which seems probable and easy for them to do.
    I remember letting someone use my Linux machine to do some web research. They asked why various things they'd downloaded weren't viewable. I saw a few files .doc.exe and similar and explained. 
    Some users would do the necessary things on their Linux machines to run something as root if they were promised what they wanted. A shame really. There is an attitude that computers should be "user friendly" meaning "I should not have to think about this" - yet people do learn about security of other things.

  • the llama on

    So we can conclude the discussion with the statement, that its more important to educate users than to argue on which OS to use.

    P.S. -(But still Windows is horribly stupid...)

  • Vosana on

    no one is completely immune to viruses I don't care how secutre you think your system is it only takes one to really do damage. while windows machines will still be the most vunerable as they are being the most widely used, as Linux consinues to grow,writers will take notice of this and find ways to infect them too. I have played with Linux but I am not that familiar with it just yet. I have had Ubuntu,Xubuntu and mint installed on a virtual machine briefly but didn't deal with it too much. it all boils down to the user in many cases. if you click on everything you see, you will get infected no matter what you run. but the idea that because you run a certain system you won't get infected isn't true. (and if you noticed even antivirus software is becoming avaiable for macs that alone should tell you something)

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.