“Here you Have” mass e-mail worm hits in-boxes

A new mass-mailing worm with the subject line "Here you Have" and "Just For you" is hitting thousands of in-boxes around the world.

A new mass-mailing worm with the subject line "Here you Have" and "Just For you" is hitting thousands of in-boxes...

around the world.

The emails contain a link that appears to lead to a PDF file, but instead directs victims to a malicious .SCR executable file served from a different domain said Craig Schmugar, threat researcher at McAfee Avert Labs, said in a blog post.

Clicking on the link launches the worm, which attempts to disable security software and send copies of itself to all the e-mail contacts of the victim, causing an e-mail storm.

The worm has hit several high profile organisations, such as NASA, clogging up their e-mail systems, according to US reports.

Employees have been advised not to click on the link contained in the e-mails and reminded of best security practices, such as not clicking on untrustworthy links.

McAfee said company IT administrators should filter out all e-mails containing links to .SCR files.

The security firm has released a tool to detect the threat and guidance on how to block mass e-mails containing a link to a virus infected .SCR file

The link included in the e-mails studied by McAfee is no longer live, but researchers said that multiple variants may be spreading.

Machines that are already infected may still attempt to propagate through e-mail and available network shares and removable media, they said.

The attack was able to bypass many security systems that block e-mails with executable files attached because it simply contains a link to a site hosting the worm.

The hosting site is a legitimate web host in the UK, which meant the entire web site could not be blocked, security experts said.



Enjoy the benefits of CW+ membership, learn more and join.

Read more



Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: