A mass mailer worm that struck NASA, Walt Disney Co. and other organizations is a throwback to the days of old, security researchers said. Here is what you need to know about it.
A mass-mailer worm flooded inboxes at a number of high-profile organizations
Dubbed "Here you have" because of its e-mail subject line, the
worm struck organizations such as NASA and the Walt Disney Co. In some ways,
the worm is a throwback
such as the Anna Kournikova virus, which security researchers at
Symantec noted actually had the same subject line when it appeared in 2001.
"This used to be a massive problem when e-mail worms were at their peak,
and this re-emergence shows that you can never assume old tried and true
methods won't be used again," said Bradley Anstis, vice president of
technology strategy at M86 Security.
The body of the e-mail sometimes contained the message "This is The
Document I told you about, you can find it Here," followed by a malicious
link that appears to be a PDF document but is actually a .SCR
file. The e-mail then instructs the recipient to "please check
it and reply as soon as possible." Other versions of the worm have
the subject "Just For you" and "This is The Free Dowload [sic]
Sex Movies,you can find it Here" in the body.
According to a report
by ABC News
, the worm wiggled its way into a number of organizations,
including the Florida Department of Transportation and Wells Fargo. Once on a
PC, the malware attempts to disable security software and propagate, blasting
itself out to e-mail contacts in the victim's address book. As a result, an
organization's e-mail infrastructure can be overloaded, researchers at McAfee
"Most e-mail systems will block e-mails with executable files and
scripts attached to them by default," Sam Masiello, director of messaging
security research at McAfee, told eWEEK. "This attack went around such
defenses by instead containing a link to a Website which was hosting the
malicious screen saver file. The Website that was hosting the malicious
file is a legitimate Web host in the UK
that is owned by Lycos, so the entire Website could not be blocked proactively."
In addition to e-mail, the worm attempts to spread through mapped drives,
accessible remote machines and removable media with AutoRun enabled, Masiello
"The addresses that the worm will attempt to replicate through via e-mail
are being harvested from the infected user's address book," he said. "Although
we aren't sure exactly how many messages have been sent out from infected
machines, we do believe at this time that the e-mail propagation vector has
been crippled because the site that was hosting the malicious file has been
removed. It is very possible that new variants may emerge, so we can't
consider ourselves to be out of the woods. Machines that are already
infected may still attempt to propagate through e-mail and available network
shares and removable media."
It is very difficult for users to work out what is dangerous and what is
not, and the bulk of spam should be stopped at the e-mail gateway, Anstis said.
"Why does the average user need to get file types other than the
typical document types ... this recent case uses a .SCR
file. E-mail administrators should be limiting file type distribution as much
as possible," he said.
Security pros advised users to be wary of unsolicited e-mails with
"Mass-mailers went out of style simply because this MO [modus
operandi] would not work for cyber-criminals, especially if they want to
remain hidden below the radar when they are conducting their nefarious
activities like information-stealing or spamming campaigns," said Ivan
Macalintal, senior threats researcher with Trend Micro. "Mass-mailers
create noise, and their malicious creations will soon be found out with [antivirus]
and other security products being able to have coverage ASAP.
"If the authors of this attack found this
method beneficial for them, they may opt to do this again," he
added. "If they have been nipped in the bud, they will regroup and find