Last Updated: 2010-09-09 21:49:06 UTC
by Marcus Sachs (Version: 2)
We are aware of the "Here you have" malware that is spreading via email. As we find out more, we'll update this diary.
Update: 2010-09-09 21:28 UTC (JAC) There are several good writeups on the behavior of this malware see some of the references below. The spam contains a link to a document, the link looks like it is to a PDF, but is, in fact, to a .SCR file and served from a different domain from what the link appears to point to. The original file seems to have been removed, so further infections from the initial variant should not occur, but new variants may well follow. The .SCR when executed downloads a number of additional tools, one of which appears to attempt to check in with a potential controller. The name associated the controller has been sink-holed. The malware attempts to deactivate most anti-virus packages and uses the infected user's Outlook to send out its spam.
Marcus H. Sachs
Director, SANS Internet Storm Center
FOR408 coming to central OH in Sept, see http://www.sans.org/mentor/details.php?nid=22353