'Here You Have' Email

Published: 2010-09-09
Last Updated: 2010-09-09 21:49:06 UTC
by Marcus Sachs (Version: 2)
7 comment(s)

We are aware of the "Here you have" malware that is spreading via email.  As we find out more, we'll update this diary.

Update: 2010-09-09 21:28 UTC (JAC) There are several good writeups on the behavior of this malware see some of the references below.  The spam contains a link to a document, the link looks like it is to a PDF, but is, in fact, to a .SCR file and served from a different domain from what the link appears to point to.  The original file seems to have been removed, so further infections from the initial variant should not occur, but new variants may well follow.  The .SCR when executed downloads a number of additional tools, one of which appears to attempt to check in with a potential controller.  The name associated the controller has been sink-holed.  The malware attempts to deactivate most anti-virus packages and uses the infected user's Outlook to send out its spam.

References:
http://www.virustotal.com/file-scan/report.html?id=fedb7b404754cf85737fb7e50f33324b84eb4c0b98024c7d3302039a901b04b7-1284058335#
http://www.threatexpert.com/report.aspx?md5=2bde56d8fb2df4438192fb46cd0cc9c9
http://www.threatexpert.com/report.aspx?md5=bd9208edf44d0ee32b974a2d9da7bc61
http://www.avertlabs.com/research/blog/index.php/2010/09/09/widespread-reporting-of-here-you-have-virus/

 

---------------
Marcus H. Sachs
Director, SANS Internet Storm Center

Jim Clausing
FOR408 coming to central OH in Sept, see http://www.sans.org/mentor/details.php?nid=22353

 

 

Keywords: email malware virus
7 comment(s)
Opera 10.62 - security (the DLL path issue) and stability upate see http://www.opera.com/docs/changelogs/windows/1062/

Comments

cwqwqwq

www

Nov 17th 2022
6 months ago

eweew<a href="https://www.seocheckin.com/edu-sites-list/">mashood</a>

EEW

Nov 17th 2022
6 months ago

WQwqwqwq[url=https://www.seocheckin.com/edu-sites-list/]mashood[/url]

qwq

Nov 17th 2022
6 months ago

dwqqqwqwq mashood

mashood

Nov 17th 2022
6 months ago

[https://isc.sans.edu/diary.html](https://isc.sans.edu/diary.html)

isc.sans.edu

Nov 23rd 2022
6 months ago

[https://isc.sans.edu/diary.html | https://isc.sans.edu/diary.html]

isc.sans.edu

Nov 23rd 2022
6 months ago

What's this all about ..?

isc.sans.edu

Dec 3rd 2022
6 months ago

password reveal .

isc.sans.edu

Dec 3rd 2022
6 months ago

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission

isc.sans.edu

Dec 26th 2022
5 months ago

https://thehomestore.com.pk/

isc.sans.edu

Dec 26th 2022
5 months ago

Login here to join the discussion.


Diary Archives