Application security, Malware, Threat Management, Vulnerability Management

Major U.S. organizations hit by ‘Here you have’ email worm


A number of major U.S. major organizations were affected by a rapidly spreading email worm that hit inboxes worldwide beginning Thursday.

While security experts are not certain why the masterminds opted for such an old-school attack method, the outbreak appears to be fizzling out. But not before computers at NASA, the Florida Department of Transportation, ABC, Comcast, AIG, Disney and Proctor & Gamble were affected, according to tweets and public reports.

Symantec on Thursday afternoon raised its threat level to 3 out of 4, or high, based on the widespread nature of the attack, Kevin Haley, director of Symantec Security Response, told on Friday.

“I talked to one customer who saw around 100 emails per second being sent in their systems, and that was enough to take a system down,” Haley said. 

“Good Morning America” weather anchor Sam Champion was one of the ABC employees affected.

“Wow huge email-spam-virus filling up my wrk email-box.” he tweeted Thursday.

The worm, which began propagating via email on Thursday, used the subject line "Here you have" or “Just for you.” The messages contained a link that appeared to lead to a PDF file but actually directed users to a malicious .SCR executable. If a user clicked on the link, they were prompted to install the worm, which attempted to disable most anti-virus packages and other security software.

The worm also attempted to send a copy of itself to all email contacts belonging to the victim. It also tried to spread through instant messenger, removable media devices via AutoRun, accessible remote machines and mapped drives.

For some companies, the attack was enough to take down email servers due to the high volume of messages being generated, Haley said.

Comcast, for example, was forced to shut down its internal email servers Thursday due to the outbreak, according to a company tweet.

The SANS Internet Storm Center also received numerous reports of infection. One user, commenting on a SANS blog post about the outbreak wrote, “A major auditing firm sent us some emails with the malware link.”

Haley said the attack seems to be dwindling out. Most anti-virus companies by now have virus definitions in place to stop the threat, he said. Additionally, the link included in the emails was no longer live as of early Thursday evening EST.

“For most folks, it's about getting it cleaned up now,” Haley said. 

The threat was similar to other mass mailer worms last used in the early 2000s, such as the ILoveYou and Anna Kournikova worms, Haley said.

Harry Sverdlove, CTO of application whitelisting firm Bit9, said the orchestrators of the attack reverted back to the old-school tactic because it works.

“Traditional detect-and-react security does not work,” Sverdlove told in an email. “The ultimate aim of the bad guys is to steal data, and if a method that worked more than ten years ago is still effective, they are going to use it.”

Exactly why the worm was launched may never be known. But it surely was effective.

“For the speed that it propagated and how widespread it was, it has been a long time since we've seen one like this,” Haley said.

To protect themselves, organizations should ensure their anti-virus is up to date with the latest signatures, experts said. As a precaution, firms also should use spam filtering to block any subject lines containing "Here you have" and “Just for you” and use a firewall to block access to the URL used in the attack. McAfee suggested administrators filter out .SCR files from their email systems.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.