“Here you have” Virus – Details and Removal Methods (W32/VBMania@mm / W32.Imsolk.B@mm)
Antivirus vendors and the US-CERT have issued alerts of a worm spreading through email with the subject “Here you have” and being identified as the W32/VBMania@mm or “VBMania” worm by McAfee, W32.Imsolk.B@mm by Symantec, or simply the “here you have” virus.
The virus has been spreading primarily via email, asking recipients to click on a link masked as a PDF file that actually links to malware being hosted on an external server. In a sample, an emailed contained a link to “PDF_Document21_025542010_pdf.scr’” which directed users to malware hosted on the domain “members.multimania.co.uk.”
The virus had been spreading rapidly but researchers are saying that volume has dropped significantly once the site hosting the malware was shut down.
When a user clicks on the link, their computer instantly downloads and launches the malware. It then copies itself into the Windows directory using the name CSRSS.EXE, an identical file name to a legitimate Windows file, according to McAfee researchers.
Symantec warned that the worm also attempts to spread from computer to computer over local networks (other computers on a home or office network) by copying itself to shared drives on the network. Once the threat copies itself to another machine, if a user opens the folder that contains the threat, it will launch and start a whole new cycle.
Related Story: Iraqi Resistance Group Claiming Responsibility for ‘Here You Have’ Virus May be Based in Spain
Symantec suggests that IT managers disable network sharing and/or disconnect infected computers from the local network and Internet and block outbound traffic to the domains/ IP addresses contained in the malicious e-mail to prevent users connecting to distribution sites to download.
Symantec also noted that due to the large volume of messages being generated by the worm, some e-mail servers have getting “clogged” with some being brought down completely.
Responses and Details from Symantec and McAfee
Symantec’s Response: Identified as W32.Imsolk.B@mm worm, a minor variation of W32.Imsolk.A@mm
Risk Level 3: Moderate
Symantec users will be protected from this threat under the name ‘Trojan Horse’, if virus definitions version 20100909.023 or later are applied. Additionally, products that support Download Insight functionality will trigger on the attempted download. A forthcoming update will identify the malware under a more appropriate W32.Imsolk.B@mm detection name.
Symantec’s W32.Imsolk.B@mm Removal Instructions
McAfee’s Response and Notes Identified as W32/VBMania@mm or “VBMania” worm
McAfee Corporate KnowledgeBase and Response to W32/VBMania@mm
McAfee Labs Blog on “Here You Have” Virus
DAT Updates – 6101 DAT Release
For systems that are already infected: McAfee has released a new version of their Stinger utility to detect and remove this threat. Stinger is a stand-alone utility used to detect and remove specific viruses. It is not a substitute for full anti-virus protection, but a tool to assist administrators and users when dealing with an infected system.
For more information about Stinger, see: http://vil.nai.com/vil/stinger/
Stinger can be downloaded DIRECTLY from the following URL: http://vil.nai.com/vil/vbm/stinger.exe
For McAfee Customers – McAfee TrustedSource is actively protecting against this threat. Customers with McAfee TrustedSource Email Reputation will have the emails blocked. Customers with McAfee TrustedSource Web Reputation will have the URL blocked from click-through. McAfee Artemis provides protection as well.
Static URLs in the email link to a .SCR file. McAfee recommends that customers filter for the URL on gateway and email servers, and block the creation of .SCR files on endpoint systems.
Sophos Profile – W32/Autorun-BHO
Barracuda Labs – “Here You Have” Teaches an Old Worm a New Trick
Trend Micro – Identified as WORM_MEYLME.B Old Malware Out of Its Shell (Blog Post with Details)
• Removing W32/VBMania@mm
• Removing W32.Imsolk.B@mm
• Removing “here you have” virus