Symantec finds new worm with ‘Here you have’ e-mails

Email with Subject Here You Have

A new malicious worm is being spread through e-mails with the subject line, “Here you have,” said security giant Symantec on its Security Response blog. The Security Response team is actively monitoring the threat.

The e-mail asks the recipient to click on a link embedded in the message. Disguised as a PDF file, this link points to a malicious program file online. When the user clicks on this link, the program file is downloaded and executed, installing the worm on the computer. The Security Response team identified the worm as W32.Imsolk.B@mm, and noted it may disable antivirus products, so the user remains unaware of the attack. W32.Imsolk.B@mm is also known as W32/Autorun-BHO by Sophos, W32/VBMania@MM by McAfee, and WORM_MEYLME.B by Trend Micro.

Once the computer is compromised, the worm attempts to send the original e-mail to all addresses found in the user’s addressbook, or to hop through the LAN infecting other computers by copying to open drive shares on the network. Merely opening the folder containing the worm executes it. E-mail servers are getting overwhelmed as the compromised machines automatically create and send a large volume of messages.

In addition to removable and mapped drives, the mass-mailing worm spreads through shared folders and instant messaging. If you suspect your computer has been infected, take it offline immediately and disconnect devices to prevent spreading the worm through the local network.

Just as an aside, even though the link appears to be a PDF file, this latest attack is not the zero-day exploit for Adobe Acrobat and Reader. This is pure social engineering, where the attack requires the user to click on a link in an e-mail. While not new, hackers continue to find it effective.