“Here you have” Virus – Details and Removal Methods (W32/[email protected] / [email protected])

Antivirus vendors and the US-CERT have issued alerts of a worm spreading through email with the subject "Here you have" and being identified as the W32/[email protected] or “VBMania” worm by McAfee, [email protected] by Symantec, or simply the “here you have” virus.

The virus has been spreading primarily via email, asking recipients to click on a link masked as a PDF file that actually links to malware being hosted on an external server. In a sample, an emailed contained a link to “PDF_Document21_025542010_pdf.scr’” which directed users to malware hosted on the domain “members.multimania.co.uk.”

The virus had been spreading rapidly but researchers are saying that volume has dropped significantly once the site hosting the malware was shut down.

When a user clicks on the link, their computer instantly downloads and launches the malware. It then copies itself into the Windows directory using the name CSRSS.EXE, an identical file name to a legitimate Windows file, according to McAfee researchers.

Symantec warned that the worm also attempts to spread from computer to computer over local networks (other computers on a home or office network) by copying itself to shared drives on the network. Once the threat copies itself to another machine, if a user opens the folder that contains the threat, it will launch and start a whole new cycle.

Related Story: Iraqi Resistance Group Claiming Responsibility for 'Here You Have' Virus May be Based in Spain

Symantec suggests that IT managers disable network sharing and/or disconnect infected computers from the local network and Internet and block outbound traffic to the domains/ IP addresses contained in the malicious e-mail to prevent users connecting to distribution sites to download.

Symantec also noted that due to the large volume of messages being generated by the worm, some e-mail servers have getting "clogged" with some being brought down completely.

Responses and Details from Symantec and McAfee

Symantec’s Response: Identified as [email protected] worm, a minor variation of [email protected]

Risk Level 3: Moderate

Symantec users will be protected from this threat under the name ‘Trojan Horse’, if virus definitions version 20100909.023 or later are applied. Additionally, products that support Download Insight functionality will trigger on the attempted download. A forthcoming update will identify the malware under a more appropriate [email protected] detection name.

Symantec's [email protected] Removal Instructions

McAfee’s Response and Notes Identified as W32/[email protected] or “VBMania” worm

McAfee Corporate KnowledgeBase and Response to W32/[email protected]

McAfee Labs Blog on "Here You Have" Virus

DAT Updates - 6101 DAT Release

For systems that are already infected: McAfee has released a new version of their Stinger utility to detect and remove this threat. Stinger is a stand-alone utility used to detect and remove specific viruses. It is not a substitute for full anti-virus protection, but a tool to assist administrators and users when dealing with an infected system.

For more information about Stinger, see: http://vil.nai.com/vil/stinger/

Stinger can be downloaded DIRECTLY from the following URL: http://vil.nai.com/vil/vbm/stinger.exe

For McAfee Customers - McAfee TrustedSource is actively protecting against this threat. Customers with McAfee TrustedSource Email Reputation will have the emails blocked. Customers with McAfee TrustedSource Web Reputation will have the URL blocked from click-through. McAfee Artemis provides protection as well.

Static URLs in the email link to a .SCR file. McAfee recommends that customers filter for the URL on gateway and email servers, and block the creation of .SCR files on endpoint systems.

Sophos Profile - W32/Autorun-BHO

Barracuda Labs - "Here You Have" Teaches an Old Worm a New Trick

Trend Micro - Identified as WORM_MEYLME.B Old Malware Out of Its Shell (Blog Post with Details)

• Removing W32/[email protected]

• Removing [email protected]

• Removing “here you have” virus

Subscribe to SecurityWeek for Threat Updates

SecurityWeek RSS Feed