Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

“Here you have” Virus – W32/[email protected] – Details, Removal Methods and Resources

“Here you have” Virus – Details and Removal Methods  (W32/[email protected][email protected])

“Here you have” Virus – Details and Removal Methods  (W32/[email protected][email protected])

Antivirus vendors and the US-CERT have issued alerts of a worm spreading through email with the subject “Here you have” and being identified as the W32/[email protected] or “VBMania” worm by McAfee, [email protected] by Symantec, or simply the “here you have” virus.Removing W32/VBMania@mm

The virus has been spreading primarily via email, asking recipients to click on a link masked as a PDF file that actually links to malware being hosted on an external server. In a sample, an emailed contained a link to “PDF_Document21_025542010_pdf.scr’” which directed users to malware hosted on the domain “members.multimania.co.uk.”

The virus had been spreading rapidly but researchers are saying that volume has dropped significantly once the site hosting the malware was shut down.

When a user clicks on the link, their computer instantly downloads and launches the malware. It then copies itself into the Windows directory using the name CSRSS.EXE, an identical file name to a legitimate Windows file, according to McAfee researchers.

Symantec warned that the worm also attempts to spread from computer to computer over local networks (other computers on a home or office network) by copying itself to shared drives on the network. Once the threat copies itself to another machine, if a user opens the folder that contains the threat, it will launch and start a whole new cycle.

Related Story: Iraqi Resistance Group Claiming Responsibility for ‘Here You Have’ Virus May be Based in Spain

Symantec suggests that IT managers disable network sharing and/or disconnect infected computers from the local network and Internet and block outbound traffic to the domains/ IP addresses contained in the malicious e-mail to prevent users connecting to distribution sites to download.

Symantec also noted that due to the large volume of messages being generated by the worm, some e-mail servers have getting “clogged” with some being brought down completely.

Responses and Details from Symantec and McAfee

Symantec "Here You Have" Virus

 Symantec’s Response: Identified as [email protected] worm, a minor variation of [email protected] 

Risk Level 3: Moderate

Symantec users will be protected from this threat under the name ‘Trojan Horse’, if virus definitions version 20100909.023 or later are applied. Additionally, products that support Download Insight functionality will trigger on the attempted download. A forthcoming update will identify the malware under a more appropriate [email protected] detection name.

Symantec’s [email protected] Removal Instructions

McAfee W32/VBMania@MM

 

 

McAfee’s Response and Notes Identified as W32/[email protected] or “VBMania” worm

McAfee Corporate KnowledgeBase and Response to W32/[email protected] 

McAfee Labs Blog on “Here You Have” Virus

DAT Updates6101 DAT Release

For systems that are already infected: McAfee has released a new version of their Stinger utility to detect and remove this threat. Stinger is a stand-alone utility used to detect and remove specific viruses. It is not a substitute for full anti-virus protection, but a tool to assist administrators and users when dealing with an infected system.

For more information about Stinger, see: http://vil.nai.com/vil/stinger/

Stinger can be downloaded DIRECTLY from the following URL: http://vil.nai.com/vil/vbm/stinger.exe

For McAfee Customers – McAfee TrustedSource is actively protecting against this threat. Customers with McAfee TrustedSource Email Reputation will have the emails blocked. Customers with McAfee TrustedSource Web Reputation will have the URL blocked from click-through. McAfee Artemis provides protection as well.

Static URLs in the email link to a .SCR file. McAfee recommends that customers filter for the URL on gateway and email servers, and block the creation of .SCR files on endpoint systems.

Sophos ProfileW32/Autorun-BHO

Barracuda Labs“Here You Have” Teaches an Old Worm a New Trick

Trend Micro – Identified as WORM_MEYLME.B Old Malware Out of Its Shell (Blog Post with Details)

• Removing W32/[email protected]

• Removing [email protected]

• Removing “here you have” virus

Subscribe to SecurityWeek for Threat Updates

SecurityWeek RSS Feed

Written By

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Malware & Threats

Fortinet warned of three malicious PyPI packages containing code that fetches the Wacatac trojan and information stealer.

Cybercrime

The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...