madison

Zero Day

Ryan Naraine and Dancho Danchev
Home / News & Blogs / Zero Day

Primitive 'Here you have' e-mail worm spreading fast

By | September 10, 2010, 8:21am PDT

Summary: Anti-malware companies are tracking a new “download-and-run” e-mail worm squirming through inboxes around the world.

Anti-malware companies are tracking a new “download-and-run” e-mail worm squirming through inboxes around the world.

The worm, which uses the subject line “here you have” and random text like “This is The Free Dowload Sex Movies,you can find it Here,” includes a link to what purports to be a PDF document but is instead an executable file hosted on a Web site.

If a user clicks on the link and runs the file, the machine gets infected and continues the propagation routine.

McAfee explains:follow Ryan Naraine on twitter

When run, the virus installs itself to the Windows directory as CSRSS.EXE (not to be confused with the valid CSRSS.EXE file within the Windows System directory).   Once infected the worm attempts to send the aforementioned message to email address book recipients.  It can also spread through accessible remote machines, mapped drives, and removable media via Autorun replication.

“In spite of this primitive propagation routine, the worm is pretty active, and currently sending out significant amounts of mail,” says Alexander Gostev, a security researcher at Kaspersky Lab (see disclosure).

UPDATE: I’ve confirmed that the website hosting all the malicious worm files has been deleted, meaning the worm has effectively been killed.  Keep in mind, however, that an infected computer will continue to spew e-mails until it is cleaned.

My colleagues have found evidence of this worm squirming since early August.  Here is a Microsoft malware alert dating back to August 4, 2010.  This Symantec virus description also shows the e-mail threat was in circulation last month.

* Image via Securelist.com.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

E-mail Worm, Propagation, Worm, E-mail, Cyberthreats, Viruses And Worms, Security, Online Communications, Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.

Disclosure

Ryan Naraine

The most important disclosure is of my employment with Kaspersky Lab as a security evangelist. Kaspersky Lab is a global company specializing in anti-malware and secure content management technologies. I do not own stocks or other investments in any technology company.

Biography

Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

Talkback Most Recent of 91 Talkback(s)

  • Does this count? It is so hard to keep track of the shifting rules
    I know that when malware is released for OS X, it never counts for reasons that are typically made up within minutes of the malware being released. I'm pretty sure that one of the reasons that was made up is that malware doesn't count if the user has to download and run the malware, which the user has to do in this case. And if the user is running a Windows OS that was built within the last 4 years, they would even be prompted for privilege escalation (or the malware would fail to copy itself into the Windows System directory).

    So using Apple zealot logic, this one doesn't count. Or does it?

    Cue the double standards...
    ZDNet Gravatar
    NonZealot
    10th Sep 2010
  • No, the same rules don't apply to Windows...
    @NonZealot

    Because Microsoft never had cute commercials stating their O/S was safe from these things.
    ZDNet Gravatar
    SonofaSailor
    10th Sep 2010
  • RE: Primitive 'Here you have' e-mail worm spreading fast
    @SonofaSailor Thanks for sharing. i really appreciate it that you shared with us such a informative post..
    degree masters degree doctoral degree degree program
    ZDNet Gravatar
    disturbforce
    16th Sep
  • One of us hasn't had enough coffee
    @NonZealot
    ZDNet Gravatar
    oncall
    10th Sep 2010
  • RE: Primitive 'Here you have' e-mail worm spreading fast
    @oncall I'm the same way, I do my best to remain neutral. It's hard, if you communicate almeda university with the person the other person dislikes, then you fall out of favor with them! ashwood university I simple can't dislike a person, just because someone else does, I just can't.
    ZDNet Gravatar
    nestdrive
    17th Sep
  • RE: Primitive 'Here you have' e-mail worm spreading fast
    @oncall The difference between corllins university the right word and the almost right word is really high school diploma a large matter ??? it's the difference between a lightning bug and the lightning.
    ZDNet Gravatar
    nestdrive
    17th Sep
  • RE: Primitive 'Here you have' e-mail worm spreading fast
    @oncall I am looking forward for your next post, nation high school I will try to get the hang of it!
    ZDNet Gravatar
    nestdrive
    17th Sep
  • RE: Primitive 'Here you have' e-mail worm spreading fast
    @oncall it is probably a virus or worm and your system is not save against these kind of threats. Online University
    ZDNet Gravatar
    disturbforce
    28th Sep
  • if ...
    @NonZealot
    ... this file installs itself in the backround without your knowledge or interaction, then it counts because then it is probably a virus or worm and your system is not save against these kind of threats.

    if you have to type in your password before it can be installed on your system, then your are working on a pretty safe system that protects you (up to a degree from these kinds of threats).

    please do us a favor, try the link and report back. i did, nothing happened on my mac running osx 10.6.
    ZDNet Gravatar
    banned from zdnet
    10th Sep 2010
  • Then you just admitted that Windows is a pretty safe system
    @banned from zdnet
    if you have to type in your password before it can be installed on your system, then your are working on a pretty safe system that protects you (up to a degree from these kinds of threats).

    I didn't think I'd see you admit that Windows was a pretty safe system but you just did. Thanks!
    ZDNet Gravatar
    NonZealot
    10th Sep 2010
  • "Windows is a pretty safe system"
    It's getting there. If it were there already, we wouldn't be responding to threads on this article because this article wouldn't have been written.
    ZDNet Gravatar
    jasonp@...
    10th Sep 2010
  • @jasonp: No system keeps you safe from trojans
    If it were there already, we wouldn't be responding to threads on this article because this article wouldn't have been written.

    There will always be malware as long as there are Personal Computers. Linux isn't immune, OS X isn't immune, Windows isn't immune. The only way these articles will go away is if we shift to Appliance Computers where the company behind the appliance vets 100% of the software that is able to to be loaded on the device, like what Apple is trying to do with iOS devices. Of course, the existence of jail breaks proves that Apple can't write a safe OS either but that is a topic for another day. happy
    ZDNet Gravatar
    NonZealot
    10th Sep 2010
  • There is no IF
    @banned from zdnet

    It's stated very clearly in the article. You have to download and run the application to get infected. It's not even right to call this a worm, as a worm can self-propagate. This doesn't. It simply tricks people into downloading and installing a virus. Although given the subject and the text there is no reason a modern day user should have followed the link anyway.
    ZDNet Gravatar
    LiquidLearner
    10th Sep 2010
  • Good point. Looks like Win 7 is safe.
    @banned from zdnet
    If you have a common free AV installed and up to date.
    ZDNet Gravatar
    Cayble
    10th Sep 2010
  • Good thing Windows 7 is immune to all attacks.
    @NonZealot

    Queue the double standards.
    ZDNet Gravatar
    Bruizer
    10th Sep 2010
View More Comments

Talkback - Tell Us What You Think

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
Click Here

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources