Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

“Here you have” Virus – W32/VBMania@MM – Details, Removal Methods and Resources

“Here you have” Virus – Details and Removal Methods  (W32/VBMania@mm / W32.Imsolk.B@mm)

“Here you have” Virus – Details and Removal Methods  (W32/VBMania@mm / W32.Imsolk.B@mm)

Antivirus vendors and the US-CERT have issued alerts of a worm spreading through email with the subject “Here you have” and being identified as the W32/VBMania@mm or “VBMania” worm by McAfee, W32.Imsolk.B@mm by Symantec, or simply the “here you have” virus.Removing W32/VBMania@mm

The virus has been spreading primarily via email, asking recipients to click on a link masked as a PDF file that actually links to malware being hosted on an external server. In a sample, an emailed contained a link to “PDF_Document21_025542010_pdf.scr’” which directed users to malware hosted on the domain “members.multimania.co.uk.”

The virus had been spreading rapidly but researchers are saying that volume has dropped significantly once the site hosting the malware was shut down.

When a user clicks on the link, their computer instantly downloads and launches the malware. It then copies itself into the Windows directory using the name CSRSS.EXE, an identical file name to a legitimate Windows file, according to McAfee researchers.

Symantec warned that the worm also attempts to spread from computer to computer over local networks (other computers on a home or office network) by copying itself to shared drives on the network. Once the threat copies itself to another machine, if a user opens the folder that contains the threat, it will launch and start a whole new cycle.

Related Story: Iraqi Resistance Group Claiming Responsibility for ‘Here You Have’ Virus May be Based in Spain

Symantec suggests that IT managers disable network sharing and/or disconnect infected computers from the local network and Internet and block outbound traffic to the domains/ IP addresses contained in the malicious e-mail to prevent users connecting to distribution sites to download.

Symantec also noted that due to the large volume of messages being generated by the worm, some e-mail servers have getting “clogged” with some being brought down completely.

Advertisement. Scroll to continue reading.

Responses and Details from Symantec and McAfee

Symantec "Here You Have" Virus

 Symantec’s Response: Identified as W32.Imsolk.B@mm worm, a minor variation of W32.Imsolk.A@mm 

Risk Level 3: Moderate

Symantec users will be protected from this threat under the name ‘Trojan Horse’, if virus definitions version 20100909.023 or later are applied. Additionally, products that support Download Insight functionality will trigger on the attempted download. A forthcoming update will identify the malware under a more appropriate W32.Imsolk.B@mm detection name.

Symantec’s W32.Imsolk.B@mm Removal Instructions

McAfee W32/VBMania@MM

 

 

McAfee’s Response and Notes Identified as W32/VBMania@mm or “VBMania” worm

McAfee Corporate KnowledgeBase and Response to W32/VBMania@mm 

McAfee Labs Blog on “Here You Have” Virus

DAT Updates6101 DAT Release

For systems that are already infected: McAfee has released a new version of their Stinger utility to detect and remove this threat. Stinger is a stand-alone utility used to detect and remove specific viruses. It is not a substitute for full anti-virus protection, but a tool to assist administrators and users when dealing with an infected system.

For more information about Stinger, see: http://vil.nai.com/vil/stinger/

Stinger can be downloaded DIRECTLY from the following URL: http://vil.nai.com/vil/vbm/stinger.exe

For McAfee Customers – McAfee TrustedSource is actively protecting against this threat. Customers with McAfee TrustedSource Email Reputation will have the emails blocked. Customers with McAfee TrustedSource Web Reputation will have the URL blocked from click-through. McAfee Artemis provides protection as well.

Static URLs in the email link to a .SCR file. McAfee recommends that customers filter for the URL on gateway and email servers, and block the creation of .SCR files on endpoint systems.

Sophos ProfileW32/Autorun-BHO

Barracuda Labs“Here You Have” Teaches an Old Worm a New Trick

Trend Micro – Identified as WORM_MEYLME.B Old Malware Out of Its Shell (Blog Post with Details)

• Removing W32/VBMania@mm

• Removing W32.Imsolk.B@mm

• Removing “here you have” virus

Subscribe to SecurityWeek for Threat Updates

SecurityWeek RSS Feed

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.