NEWS FROM THE LAB - Friday, September 10, 2010

Here You Have... Has Come and Gone Posted by Sean @ 12:54 GMT

We've received some media inquires about an e-mail worm that's being called "Here you have".

The name is based on the subject lines used by the worm. It isn't anything very special, just your run-of-the-mill worm that requires its recipients to click on included links. The links supposedly open to either documents or videos, but it is really just a disguised executable called something such as PDF_Document21_025542010_pdf.scr.

Screen saver (.scr) files have long been blocked as attachments, which is why this worm uses links. Our antivirus already detected this threat before it was used by this particular "Here you have" run of e-mails. We detect it has Gen:Trojan.Heur.rm0@fnBStPoi.

The files to which the links attempted to connect were taken offline rather quickly, so it was not widespread in Europe where it was too early in the morning to snare anybody.

In the USA, several big companies noticed the worm moving through their systems.

The links reportedly did not spread much from "Company A" to "Company B" as e-mail filtering systems caught the inbound/outbound threat. But within organizations, if the executable was downloaded and run, the worm attempted to steal browser passwords, and then to spread via contacts. Internal e-mail filtering is not as common and there is also a networking share component used by the worm, so within some companies, its spread was highly noticeable.

E-mail worms have not been "fashionable" for some time now as antivirus vendors are quick to detect and block them and antispam technologies are quite effective at filtering them. But just because a threat isn't fashionable doesn't mean that best practices shouldn't be followed.

Don't readily click on links that arrive via e-mail, even if they are sent by people that you ordinarily trust.