Widespread Reporting of "Here you have" Virus (aka W32/VBMania@MM)

– Latest updates moved to the bottom  –
McAfee Labs is currently investigating a new threat commonly referred to as the “Here you have” virus due to the email subject line the worm uses during propagation.  It looks like multiple variants may be spreading and may take some time to work through them all to paint a clearer picture.  Here’s what we know thus far.

Infectious email messages may have the following properties:

---

Subject: Here you have or Just For you
Body:

Hello:

This is The Document I told you about,you can find it Here.
http://www.sharedocuments.com/library/PDF_Document21.025542010.pdf

Please check it and reply as soon as possible.

Cheers,

or

Hello:

This is The Free Dowload Sex Movies,you can find it Here.
http://www.sharemovies.com/library/SEX21.025542010.wmv  

Enjoy Your Time.

Cheers,

---

The URL does not actually lead to a PDF document, but rather an executable in disguise, such as PDF_Document21_025542010_pdf.scr served from a different domain, such as members.multimania.co.uk this URL is no longer active and the email propagation vector is believed to be crippled at this time (though already infected hosts may continue to spread email messages).

Here is some additional information on the threat behavior:
Generic.dx!tsp!2BDE56D8FB2D – http://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=275352
W32/VBMania@MM – http://vil.nai.com/vil/content/v_275435.htm

When a user chooses to manually follow the hyperlink, they will be prompted to download or execute the virus.  When run, the virus installs itself to the Windows directory as CSRSS.EXE (not to be confused with the valid CSRSS.EXE file within the Windows System directory).  Once infected the worm attempts to send the aforementioned message to email address book recipients.  It can also spread through accessible remote machines, mapped drives, and removable media via Autorun replication.

Accessible remote machines
The virus may be found at the following locations:

• c:\N73.Image12.03.2009.JPG.scr
• d:\N73.Image12.03.2009.JPG.scr
• E:\N73.Image12.03.2009.JPG.scr
• F:\N73.Image12.03.2009.JPG.scr
• G:\N73.Image12.03.2009.JPG.scr
• H:\N73.Image12.03.2009.JPG.scr
• New Folder\N73.Image12.03.2009.JPG.scr
• music\N73.Image12.03.2009.JPG.scr
• print\N73.Image12.03.2009.JPG.scr

Mapped drives and removable media
Other drives may contain an Autorun.inf file pointing to the created open.exe copy of the worm.

The virus attempts to stop and delete security services

• 0053591272669638mcinstcleanup
• AntiVirFirewallService
• AntiVirMailGuard
• AntiVirSchedulerService
• AntiVirService
• Arrakis3
• aswUpdSv
• Avast! Antivirus
• avast! Mail Scanner
• avast! Web Scanner
• AVG Security Toolbar Service
• avg9wd
• Avgfws9
• AVGIDSAgent
• AVP
• Gwmsrv
• LIVESRV
• Mc0DS
• Mc0obeSv
• McAfee SiteAdvisor Service
• McMPFSvc
• mcmscsvc
• McNASvc
• McProxy
• McShield
• mfefire
• mfevtp
• MSK80Service
• NIS
• Panda Software Controller
• PAVFNSVR
• PavPrSrv
• PAVSRV
• prlo
• PSHost
• PSIMSVC
• PskSvcRetail
• scan
• sdAuxService
• sdCoreService
• SfCtlCom
• TMBMServer
• TmProxy
• TPSrv
• VSSERV

The virus attempts to download several files, such as:

• ff.iq
• gc.iq
• ie.iq
• im.iq
• m.iq
• op.iq
• pspv.iq
• rd.iq
• w.iq
• SendEmail.iq
• hst.iq
• tryme.iq

These files were not available at the time of this writing, but files with these names include UPX packed password recovery tools (ChromePass, OperaPassview) and a UPX packed Sysinternals tool (PSExec) and a malicious HOSTS file.

Additional information is provided in the VIL: W32/VBMania@MM – http://vil.nai.com/vil/content/v_275435.htm

(coverage information moved to the bullets at the bottom)

McAfee Global Threat Intelligence File Reputation (aka Artemis / Network Security Heuristic) has coverage for at least the main variant at the Very Low sensitivity level or higher.

Emergency McAfee DAT files will be released later today have been released (6101).  An Extra.dat file is available for this threat and may be downloaded here: https://www.webimmune.net/extra/getextra.aspx

The McAfee Beta DAT files have been updated: http://vil.nai.com/vil/virus-4d.aspx

The McAfee Stinger stand-alone tool has been released for W32/VBMania@MM to detect and repair this threat: http://vil.nai.com/vil/vbm/stinger.exe

A related Corporate KnowledgeBase article has been written: How to block mass emails containing a link to a virus infected .SCR file

– Updated Sep 15  –
The aforementioned email propagation information was associated with one variant.  Many truncated and corrupted instances of the viruses were identified that are associated with the variant.  Other variants that did not contain the same email propagation information have been identified.  Reports of those variants are considerably less.

McAfee product coverage is as follows:

• DAT FILES  Coverage is provided as “W32/VBMania@MM” in the 6101 DATs, released September 9. The McAfee Labs Stinger has also been updated to include coverage for this threat.
• VULNERABILITY MANAGER: The MVM/FSL release of September 9 includes a check to assess if your systems show signs of infection.
• WEB GATEWAY  Coverage will be provided in the current Gateway Anti-Malware Database Update.
• REMEDIATION MANAGER  Remediation Manager will run the McAfee Labs Stinger tool to scan hosts for possible infections.
• FIREWALL ENTERPRISE  McAfee’s Global Threat Intelligence blocks this attack across multiple threat vectors using TrustedSource reputation, including the email message that delivers the link, the URLs associated with the malware, and the reputation of the malware file itself. This coverage extends to McAfee Email Gateway, Email and Web Security appliance, SaaS Email and Web Security Email Protection Service, McAfee Web Gateway, McAfee Firewall Enterprise, and a variety of other TrustedSource-enabled products.
• MCAFEE NETWORK SECURITY PLATFORM  Versions with Artemis enabled will detect/block malware file transfers when downloaded over HTTP, without the need of signature updates. The UDS release of September 11 contains the signature “UDS-WORM: W32 VBMania@MM,” which provides additional coverage on the email messages containing malicious links.