There appears to be an actual email worm in circulation right now, using the tried-and-true infection method of sending malicious emails to all of the names in a user’s email address book.
As of Friday afternoon, the malicious files had been deleted from the remote server in the UK that was serving as the download site for the malware. This move should effectively limit new infections, although machines that are infected already will continue to send out the emails until they’re cleaned.
The worm arrives via emails with the subject line “Here You Have” or something similar, and the messages contain a link to a site that will download a malicious file to the victim’s PC. The malware then drops itself into the Windows directory with a file name of CSRSS.EXE, which is identical to a legitimate Windows file, according to an analysis by McAfee researchers.
“The URL does not actually lead to a PDF document, but rather an
executable in disguise, such as PDF_Document21_025542010_pdf.scr served
from a different domain, such as members.multimania.co.uk,” the analysis says.
From there, it’s 2001 all over again, as the worm attempts to mail itself to all of the contacts in the victim’s Outlook address book. The malware also tries to stop any security software or anti-malware programs running on the machine. McAfee’s researchers found that the worm also can spread via network shares and AutoRun.
The SANS Internet Storm Center analysis of the worm says that the original malicious file that was being downloaded during the infection routine looks to have been removed from the remote site involved in the attack. Also, the malware at first was trying to contact a remote server to download other content. That domain has been blackholed, SANS analyst Marcus Sachs said.
This infection routine was made famous and perfected by malware authors in the early part of the 2000s, most notably with mass-mailing viruses such as ILoveYou. The difference with those earlier attacks is that the emails typically carried the malicious file itself and didn’t rely on a link to a downloading site. But the technique used to entice users to click on the attachment or malicious link is the same: Offer the user something he wants to see.
In the case of older viruses, they typically promised pictures of Anna Kournikova or Britney Spears. Now, it’s down to mundane things like “the document I told you about.” There appear to be several variants of the new worm making the rounds already.