Worm With UK Link Brings Email Misery Back

A mass-mailer worm flooded inboxes at a number of high-profile organisations today. It struck havoc in the US yesterday and may be lurking in UK inboxes when the workforce logs-in today.

The worm, dubbed ‘Here you have’ because of its email subject line, contains what appears to be a link to an Adobe PDF file. In fact, the link takes the victim to a screensaver (.scr) file on a web page hosted on the members.multimania.co.uk domain. Users who agree to install the file are then infected by the worm which mails itself to the users’ email contacts.

Simply Not Tennis But Similar

The worm struck organisations such as NASA and the Walt Disney Company in the US. The good news for the UK is that the website has taken down the screensaver page but that does not mean a new hosting site will not emerge for a second round of attacks.

In some ways, the worm is a throwback to attacks, such as the Anna Kournikova virus which, security researchers at Symantec noted, actually had the same subject line when it appeared in 2001.

According to a report by ABC News in the US, the worm wriggled its way into a number of organisations, including NASA, the Walt Disney Corporation, Wells Fargo bank and the Florida Department of Transportation.

“This used to be a massive problem when email worms were at their peak and this re-emergence shows that you can never assume old tried and true methods won’t be used again,” said Bradley Anstis, vice president of technology strategy at M86 Security.

The body of the email in the current wave of attacks sometimes contained the message “This is The Document I told you about, you can find it Here” followed by a malicious link to the fake PDF file. The email then instructs the recipient to “please check it and reply as soon as possible.” Other versions of the worm have the subject “Just For you” and the incorrectly spelt “This is The Free Dowload Sex Movies,you can find it Here” in the body.

Email overload

Once on a PC, the malware attempts to disable security software before propagating and blasting itself out to the contacts in the victim’s address book. As a result, an organisation’s email infrastructure can be overloaded, researchers at McAfee warned.

“Most email systems will block emails with executable files and scripts attached to them by default,” Sam Masiello, director of messaging security research at McAfee, told eWEEK. “This attack went around such defences by instead containing a link to a website which was hosting the malicious screen saver file.”

In addition to email, the worm also attempts to spread through mapped drives, accessible remote machines and removable media with AutoRun enabled, Masiello added.

“The website that was hosting the malicious file is a legitimate web host in the UK that is owned by Lycos so the entire site could not be blocked proactively,” he explained.

The host site has acted promptly and responsibly to remove the malicious download.

New variants

“It is very possible that new variants may emerge so we can’t consider ourselves to be out of the woods. Machines that are already infected may still attempt to propagate through email and available network shares and removable media,” said Masiello

Anstis from M86 added that it is very difficult for users to work out what is dangerous and what is not so the bulk of spam should be stopped at the email gateway.

“Why does the average user need to get file types other than the typical document types… this recent case uses a .SCR file. Email administrators should be limiting file type distribution as much as possible,” he said.

Security professionals are advising users to be wary of unsolicited emails with suspicious links.

Ivan Macalintal, senior threats researcher with Trend Micro, said, “Mass-mailers went out of style simply because this MO [modus operandi] would not work for cybercriminals, especially if they want to remain hidden below the radar when they are conducting their nefarious activities like information-stealing or spamming campaigns.

“If the authors of this attack found this method beneficial for them, they may opt to do this again,” he added. “If they have been nipped in the bud, they will regroup and find other opportunities.”