New Round of Email Worm, "Here you have"
Security Response has confirmed reports of a worm spreading through email under the subject "Here you have". The mail to the unsuspecting recipient claims to be providing a document available through a URL. The URL is spoofed and actually points to a malicious binary being hosted on a different server.
The email will appear similar to the following:
In this instance, the actual file downloaded would be named ‘PDF_Document21_025542010_pdf.scr’ and is housed on the domain ‘members.multimania.co.uk’. This file is a minor variation of W32.Imsolk.A@mm. The main characteristics of the worm’s functionality are as follows:
· Spread through mapped drives through autorun
· Spread through email by taking contacts from the address book
· Spread through instant messenger
· Disables various security related programs
Symantec users will be protected from this threat under the name
"Trojan Horse", if virus definitions version 20100909.023 or later are applied. Additionally, products that support Download Insight functionality will trigger on the attempted download.
Update: Symantec has added a detection for this threat as W32.Imsolk.B@mm and more detailed technical information can be found in the writeup.