Major U.S. organizations hit by 'Here you have' email worm

Share this article:

A number of major U.S. major organizations were affected by a rapidly spreading email worm that hit inboxes worldwide beginning Thursday.

While security experts are not certain why the masterminds opted for such an old-school attack method, the outbreak appears to be fizzling out. But not before computers at NASA, the Florida Department of Transportation, ABC, Comcast, AIG, Disney and Proctor & Gamble were affected, according to tweets and public reports.

Symantec on Thursday afternoon raised its threat level to 3 out of 4, or high, based on the widespread nature of the attack, Kevin Haley, director of Symantec Security Response, told SCMagazineUS.com on Friday.

“I talked to one customer who saw around 100 emails per second being sent in their systems, and that was enough to take a system down,” Haley said. 

“Good Morning America” weather anchor Sam Champion was one of the ABC employees affected.

“Wow huge email-spam-virus filling up my wrk email-box.” he tweeted Thursday.

The worm, which began propagating via email on Thursday, used the subject line "Here you have" or “Just for you.” The messages contained a link that appeared to lead to a PDF file but actually directed users to a malicious .SCR executable. If a user clicked on the link, they were prompted to install the worm, which attempted to disable most anti-virus packages and other security software.

The worm also attempted to send a copy of itself to all email contacts belonging to the victim. It also tried to spread through instant messenger, removable media devices via AutoRun, accessible remote machines and mapped drives.

For some companies, the attack was enough to take down email servers due to the high volume of messages being generated, Haley said.

Comcast, for example, was forced to shut down its internal email servers Thursday due to the outbreak, according to a company tweet.

The SANS Internet Storm Center also received numerous reports of infection. One user, commenting on a SANS blog post about the outbreak wrote, “A major auditing firm sent us some emails with the malware link.”

Haley said the attack seems to be dwindling out. Most anti-virus companies by now have virus definitions in place to stop the threat, he said. Additionally, the link included in the emails was no longer live as of early Thursday evening EST.

“For most folks, it's about getting it cleaned up now,” Haley said. 

The threat was similar to other mass mailer worms last used in the early 2000s, such as the ILoveYou and Anna Kournikova worms, Haley said.

Harry Sverdlove, CTO of application whitelisting firm Bit9, said the orchestrators of the attack reverted back to the old-school tactic because it works.

“Traditional detect-and-react security does not work,” Sverdlove told SCMagazineUS.com in an email. “The ultimate aim of the bad guys is to steal data, and if a method that worked more than ten years ago is still effective, they are going to use it.”

Exactly why the worm was launched may never be known. But it surely was effective.

“For the speed that it propagated and how widespread it was, it has been a long time since we've seen one like this,” Haley said.

To protect themselves, organizations should ensure their anti-virus is up to date with the latest signatures, experts said. As a precaution, firms also should use spam filtering to block any subject lines containing "Here you have" and “Just for you” and use a firewall to block access to the URL used in the attack. McAfee suggested administrators filter out .SCR files from their email systems.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

CryptoWall surpasses CryptoLocker in infection rates

CryptoWall surpasses CryptoLocker in infection rates

A threat analysis from Dell SecureWorks CTU says that CryptoWall has picked up where its famous sibling left off.

Professor says Google search, not hacking, yielded medical info

Professor says Google search, not hacking, yielded medical ...

A professor of ethical hacking at City College San Francisco came forward to clarify that he did not demonstrate hacking a medical center's server in a class.

Syrian Malware Team makes use of enhanced BlackWorm RAT

Syrian Malware Team makes use of enhanced BlackWorm ...

FireEye analyzed the hacking group's use of the malware, dubbed the "Dark Edition" of BlackWorm.