– Latest updates moved to the bottom –
McAfee Labs is currently investigating a new threat commonly referred to as the “Here you have” virus due to the email subject line the worm uses during propagation. It looks like multiple variants may be spreading and may take some time to work through them all to paint a clearer picture. Here’s what we know thus far.
Infectious email messages may have the following properties:
This is The Document I told you about,you can find it Here.
Please check it and reply as soon as possible.
This is The Free Dowload Sex Movies,you can find it Here.
Enjoy Your Time.
Here is some additional information on the threat behavior:
Generic.dx!tsp!2BDE56D8FB2D – http://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=275352
W32/VBMania@MM – http://vil.nai.com/vil/content/v_275435.htm
When a user chooses to manually follow the hyperlink, they will be prompted to download or execute the virus. When run, the virus installs itself to the Windows directory as CSRSS.EXE (not to be confused with the valid CSRSS.EXE file within the Windows System directory). Once infected the worm attempts to send the aforementioned message to email address book recipients. It can also spread through accessible remote machines, mapped drives, and removable media via Autorun replication.
Accessible remote machines
The virus may be found at the following locations:
Mapped drives and removable media
Other drives may contain an Autorun.inf file pointing to the created open.exe copy of the worm.
The virus attempts to stop and delete security services
The virus attempts to download several files, such as:
These files were not available at the time of this writing, but files with these names include UPX packed password recovery tools (ChromePass, OperaPassview) and a UPX packed Sysinternals tool (PSExec) and a malicious HOSTS file.
Additional information is provided in the VIL: W32/VBMania@MM – http://vil.nai.com/vil/content/v_275435.htm
(coverage information moved to the bullets at the bottom)
McAfee Global Threat Intelligence File Reputation (aka Artemis / Network Security Heuristic) has coverage for at least the main variant at the Very Low sensitivity level or higher.
Emergency McAfee DAT files will be released later today have been released (6101).Â An Extra.dat file is available for this threat and may be downloaded here: https://www.webimmune.net/extra/getextra.aspx
The McAfee Beta DAT files have been updated: http://vil.nai.com/vil/virus-4d.aspx
The McAfee Stinger stand-alone tool has been released for W32/VBMania@MM to detect and repair this threat: http://vil.nai.com/vil/vbm/stinger.exe
A related Corporate KnowledgeBase article has been written: How to block mass emails containing a link to a virus infected .SCR file
– Updated Sep 15 –
The aforementioned email propagation information was associated with one variant. Many truncated and corrupted instances of the viruses were identified that are associated with the variant. Other variants that did not contain the same email propagation information have been identified. Reports of those variants are considerably less.
McAfee product coverage is as follows: