Primitive 'Here you have' e-mail worm spreading fast

Anti-malware companies are tracking a new "download-and-run" e-mail worm squirming through inboxes around the world.

Anti-malware companies are tracking a new "download-and-run" e-mail worm squirming through inboxes around the world.

The worm, which uses the subject line "here you have" and random text like "This is The Free Dowload Sex Movies,you can find it Here," includes a link to what purports to be a PDF document but is instead an executable file hosted on a Web site.

If a user clicks on the link and runs the file, the machine gets infected and continues the propagation routine.

McAfee explains:

follow Ryan Naraine on twitter

When run, the virus installs itself to the Windows directory as CSRSS.EXE (not to be confused with the valid CSRSS.EXE file within the Windows System directory).   Once infected the worm attempts to send the aforementioned message to email address book recipients.  It can also spread through accessible remote machines, mapped drives, and removable media via Autorun replication.

"In spite of this primitive propagation routine, the worm is pretty active, and currently sending out significant amounts of mail," says Alexander Gostev, a security researcher at Kaspersky Lab (see disclosure).

UPDATE: I've confirmed that the website hosting all the malicious worm files has been deleted, meaning the worm has effectively been killed.  Keep in mind, however, that an infected computer will continue to spew e-mails until it is cleaned.

My colleagues have found evidence of this worm squirming since early August.  Here is a Microsoft malware alert dating back to August 4, 2010.  This Symantec virus description also shows the e-mail threat was in circulation last month.

* Image via Securelist.com.

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All