New Email Worm Squirming Through Windows Users' Inboxes

Trailrunner7 writes "There appears to be an actual email worm in circulation right now, using the tried-and-true infection method of sending emails containing malicious executables to all of the names in a user's email address book. The worm arrives via emails with the subject line 'Here You Have' or something similar, and the messages contain a link to a site that will download a malicious file to the victim's PC. The malware then drops itself into the Windows directory with a file name of CSRSS.EXE, which is identical to a legitimate Windows file. From there, it's 2001 all over again, as the worm attempts to mail itself to all of the contacts in the victim's Outlook address book."

Got mimedefang?

[Shoeler]

People still allow .exe files through filters? Helllloooooo mimedefang...

Re:Got mimedefang?

[Technoodle]

I had a client that got a link to a .scr file. They thought it was suspicious but clicked it and ran it anyway. When will Users ever learn?

Hit NASA today

[Anonymous Coward]

It started working its way through NASA and contractor mail servers today. Lots of folks send mail to distribution lists and so those were getting lots of backwash from people replying to them, saying they didn't think the message was for them...

Adobe PDF zero day saved me

[Maxo-Texas]

I was suspicious of any PDF today.

Might not have clicked on it but I might have. You normally think of PDF's as safe.

Re:The hell?

[Abcd1234]

Okay, now try replacing, say /bin/sh, and tell me how that works out.

It's already hit NASA

[ToSeek]

Got sent to a maillist that covers just about everyone who works at a NASA center east of the Mississippi. Once you add up the virus-generated emails, the emails warning everyone it's a worm, and the emails complaining "for God's sake don't reply to everybody" (which replied to everybody), there were several score messages sent to thousands of users.

Re:Got mimedefang?

[__aaqvdr516]

I was called to a co-workers office today. He told me that he received an email from someone in our company. He didn't remember the name of someone he had spoken with yesterday and assumed it was the person that he had talked to. He clicked the link and then witnessed the awesomeness that is this exact worm. I got to see the email. It had all the usual signs of being junk/scam/phishing/younameit. I then further continued to giggle as the company posted a warning on our main site page having already shutdown the mail server. By the time he had caught the worm in action it had operated for about 30 seconds and managed to get around 800 messages (and counting) in his outbox before he killed the process.

Re:Windows is super!

[Marauder2]

Before the collective wrath of Slashdot falls upon an innocent* cyber squatter, bear in mind that the URL listed in the text of the email wasn't actually the URL that the href linked to (text claimed to point to one spot, actual href tag pointed some place completely different). It didn't link to a PDF either but an executable with the .scr (Windows Screensaver) extension.

*Presumed innocent in the context of this malware, not in the grander scheme of effing up the domain registry system for the rest of us...

Lulz @work today

[mrsam]

Initially, got a few batch of these at $work$ today -- one of the remaining 800lb Wall Street gorillas. The mails originated from some senders @NYSE, and were sent to some internal mailing lists.

It didn't take long before a bunch of our own drooling baboons clicked the link, causing more mails to go out to the internal lists. That went on for a few hours. Then came the inevitable "why are you sending this", "i must've gotten this by mistake", "take me off the list" replies from more internal senders, resent to the same internal lists. Then came the inevitable "this is a virus, do not reply to all" replies to all.

I told my management that what they have in their inbox, basically, is a list of people to get the axe when the next round of layoffs comes around. Can't create a more accurate list of people who are truly the bottom of the barrel, and do not belong in an organization that's supposedly charged with with billions of investors' and depositors' money.

P.S. -- I also thought that this was the exploit for the 0-day PDF flaw too, given the .pdf extension. But if this was just an ordinary executable, that you actually had to click through an extra time to execute, then there's even less excuse for anyone with a brain to get infected with this.

Re:The hell?

[archmcd]

Well, in the case of Windows XP and common corporate practices, it's not unusual for an individual that would require administrative rights to log in with an account in the Administrators group on a regular basis, whether administrative tasks will be performed or not. I've worked for companies where 1 in 3 users have administrative rights on their workstation due to a "business need" which may have been a one-time task, but the escalated privileges remain indefinitely. 1 in 3 is an awful lot of people in a company with over 100,000 employees.

Re:So that's why the UW mail system went down

[Annorax]

No, it's more of the fact that "a sucker is born every minute" or more along the lines of every millisecond.

The college freshmen of today never experienced the "2001 all over again", so they are ripe for the pickings of email bombs that look "old hat" to old farts like us.

Depends on Who Patient Zero Is...

[IonOtter]

I got one of these at work.

The reason it didn't nail my machine is because...

1. I have HTML disabled on Outlook
2. I never click ANY links that go outside the company.

I did a quick search on the URL, and it led me to Slashdot in the Google results. Yay Slashdot!!

But here's the catch? Someone INSIDE the company *did* get hit, and it spread from their address book to everyone else. That's the usual progression, of course, but the source and headers actually made me look twice.

ALL of the headers, everything, came from inside the company firewall. I could see where it passed through at least 3 firewall systems to get to me.

When I spoke to network security, they said they'd been fighting it since noon. The reason why is because people are actually READING THE HEADERS and checking the user, and it's coming up legit!

The folks on our end are actually doing due diligence, they're just not paranoid enough.

Dealing with this mess...

[don_carnage]

We had to deal with this mess today, running around to PCs and flat-out shutting them off. One user that I came across clicked on the link because he "verified that it was from someone in the office." His Outlook outbox had over 34,000 emails ready to send. Quite a mess and we're still cleaning it up. I thought we had learned our lesson with the "I Love You" virus. What's worse is that the spam filter, IPS, Windows firewall, antivirus, and web proxy all failed to stop the attack.

Re:So that's why the UW mail system went down

[CAIMLAS]

I'm not sure we're reading the same thing, here.

What is it about UNIX design/philosophy, particularly as it is usually imlemented, that prohibits a user from:

1) clicking on a link in an email
2) downloading a binary and/or script
3) running said script/binary (granted, they'd have to chmod +x first, so there's at least a modicum of technical competency required before this would work)
4) shitting more worms across the Internet as they spam everyone on their Thunderbird/Kmail/whatever address book via their upstream SMTP server

Seriously. Does the iPhone actually do anything that (say) could not be done with Windows 7? No, not really.

Re:So that's why the UW mail system went down

[dbcad7]

Ok.. I have received an email with an executable file.. please list the steps necessary for me to run it.. I'll wait... ok.. Oh really ? it's that simple ?.. I can't imagine why these tricks don't work on Linux users.. sheesh, I'm scared now.

Re:Lulz @work today

[KevinIsOwn]

Looks like somebody is embarrassed that they clicked the link to the virus. No, those weren't pictures from the party. Sorry.

But seriously, how is that a non-relevant criteria? Especially if you had somebody who has done it multiple times, that is a major risk to the company's network. Especially for a company with people's financial information, you can't have people downloading such ridiculous things.