Warning

 

Close

Confirm Action

Are you sure you wish to do this?

Confirm Cancel
Member Login
Arrow Left Previous Page
Page / 2
Posted: 9/9/2010 12:23:44 PM EDT
We just got this from our Microsoft rep:

There is a major virus going around affecting LOTS of companies today. The subject contains “Here you have”

Please warn your people not to open any email with this subject, or better yet stop them before they get in.


I know we have at least one case within our firm of about 4,500 employees (I'm the anti-virus guy among other things like AD, DNS, DHCP, FTP, etc.). I'm trying to get some further info from our Microsoft rep. Stay tuned.

E-95
Link Posted: 9/9/2010 12:27:39 PM EDT
Thanks again Mr. Torvalds
Link Posted: 9/9/2010 12:29:40 PM EDT

Originally Posted By Harvster:
Thanks again Mr. Torvalds


Link Posted: 9/9/2010 12:30:19 PM EDT
yup, got about 7 different emails with that title today at work.
Link Posted: 9/9/2010 12:31:04 PM EDT
There have apparently been a flood of cases opened up with Microsoft's Product Support Services Security group. The latest response from our rep is as follows:

The virus appears to arrive with a link to a *.scr file that looks like a PDF link. When users click it, it begins sending emails using the GAL or contacts. We are not totally sure of the origin at this point but wanted to send a heads up. The email subject is “Here you have”.


E-95
Link Posted: 9/9/2010 12:31:30 PM EDT
I have a few hundred copies of it in my mailbox and my blackberry is about to crash. The file is blocked by our proxy server, but our lusers working remotely are all getting it. Probably doesn't help that we are still using IE6.

Does anyone know what the exploit is? Is it in IE, Acrobat?
Link Posted: 9/9/2010 12:33:27 PM EDT

Originally Posted By jeremy223:
I have a few hundred copies of it in my mailbox and my blackberry is about to crash. The file is blocked by our proxy server, but our lusers working remotely are all getting it. Probably doesn't help that we are still using IE6.

Does anyone know what the exploit is? Is it in IE, Acrobat?

Still on IE6? Why?!
Link Posted: 9/9/2010 12:34:53 PM EDT
We got hit pretty hard at work with that today. It's amazing how many stupid users still clicked on the link after multiple emails sent by MIS and INFOSEC saying not to.
Link Posted: 9/9/2010 12:37:18 PM EDT
One of our engineers just found this on McAfee's site:


McAfee has received confirmation that some customers have received large volumes of spam containing a link to malware, a mass-mailing worm identified as VBMania. The symptom reported thus far is that the spam volume is overwhelming the email infrastructure.
Static URLs in the email link to a .SCR file. McAfee recommends that customers filter for the URL on gateway and email servers, and block the creation of .SCR files on endpoint systems.


E-95
Link Posted: 9/9/2010 12:38:48 PM EDT

Originally Posted By E-95:
We just got this from our Microsoft rep:

There is a major virus going around affecting LOTS of companies today. The subject contains "Here you have”

Please warn your people not to open any email with this subject, or better yet stop them before they get in.


I know we have at least one case within our firm of about 4,500 employees (I'm the anti-virus guy among other things like AD, DNS, DHCP, FTP, etc.). I'm trying to get some further info from our Microsoft rep. Stay tuned.

E-95
Thanks, looks like our Spam Filter has been putting the smack down on them.



Link Posted: 9/9/2010 12:40:01 PM EDT
Originally Posted By andrasik:

Originally Posted By jeremy223:
I have a few hundred copies of it in my mailbox and my blackberry is about to crash. The file is blocked by our proxy server, but our lusers working remotely are all getting it. Probably doesn't help that we are still using IE6.

Does anyone know what the exploit is? Is it in IE, Acrobat?

Still on IE6? Why?!


Some crap, old timesheet system we use that doesn't work with any modern browsers. I have to run firefox portable from my temp directory
Link Posted: 9/9/2010 12:47:43 PM EDT
[Last Edit: 9/9/2010 12:54:39 PM EDT by cm]
The virus is a adobe exploit.

I think this is it

http://blog.trendmicro.com/new-zero-day-adobe-acrobat-vulnerability-exploited/


Sep9
<small>1:43 am (UTC-7) | by Jonathan Leopando (Technical Communications) </small>



Adobe has issued a new security advisory concerning Adobe Acrobat, its line of PDF software. All current versions of Reader and Acrobat are known to be vulnerable, across all supported platforms–Windows and Mac for Acrobat, and Windows, Mac, and Unix for Reader. According to the advisory, an attacker could use the vulnerability to "to take control of the affected system”, meaning random code could be executed on user systems.

Trend Micro has already found malicious files that exploit this vulnerability. These are detected as TROJ_PIDIEF.WM. In turn, this file drops a downloader (TROJ_DLOADR.WM) which leads to another downloader, TROJ_CHIFRAX.BU. More PIDIEF variants that exploit this vulnerability are sure to be spotted in the next few days.

The URLs where TROJ_CHIFRAX.BU is located and downloads malware from are currently unavailable. Curiously, even if the website was registered on the .US top-level domain, WHOIS records indicate the registrant is in Hong Kong. In addition, the servers that actually host the site are located in Germany and the United States. This indicates that some effort was placed into hiding the actual persons responsible for this attack.



more info about how the virus writers are trying to hide their identity in the article...




no fix from adobe yet, supposedly all adobe acrobat versions are vulnerable, and i guess, adobe doesn't consider this exploit to be a problem since supposedly the bug was known


Link Posted: 9/9/2010 12:52:04 PM EDT
The CSRM team is showing their 1337 skillz. It's not even hitting our spam filters at the end-point.
Link Posted: 9/9/2010 12:56:15 PM EDT
And no fix from Trend yet either. They expect to have a new pattern file released in a couple of hours. Here's the latest from our Microsoft TAM:


Start Time: 9/9/2010 12:00:00 PM [Pacific Time]

Issue Overview:

  • CritSit and TR agents report a new Exchange Virus as a main call driver, contributing to the degraded service levels experienced today.

  • The Virus is titled Worm: Win32/Visal.A, and manifests by sending an overload of spam e-mails once executed.

  • The method of delivery is believed to be a vulnerability in Adobe, as the worm shows up as a PDF file, and Adobe has documentation of this vulnerability.

  • This has been one call driver, but call volumes are high, and service level has been degraded throughout the day.

  • Microsoft Security has identified the worm, and working to relay information to all support teams.

  • Troubleshooting and advisory steps are now in the Microsoft Security Portal.



E-95

Link Posted: 9/9/2010 12:57:57 PM EDT
another article on the virus

http://www.computerworld.com/s/article/9184146/Hackers_exploit_new_PDF_zero_day_bug_warns_Adobe

Hackers exploit new PDF zero-day bug, warns Adobe

Criminals conduct 'limited' attacks with rigged PDF attachments

By Gregg Keizer
September 8, 2010 04:09 PM ET
Computerworld - Adobe today warned users that attacks have begun exploiting an unpatched bug in its popular Reader and Acrobat PDF viewing and creation software.


"A critical vulnerability exists in Adobe Reader 9.3.4 and earlier versions for Windows, Macintosh and UNIX, and Adobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh," Adobe's warning read. This vulnerability could cause a crash and potentially allow an attacker to take control of the affected system.

"Adobe is in the process of evaluating the schedule for an update to resolve this vulnerability," the advisory added.

Other than to say that "at this point, [attacks] appear to be limited," Adobe offered little information on the bug today.


Parkour uncovered a malicious e-mail message with a rogue PDF attachment that urged recipients to open the document. "Want to improve your score? In these golf tips, David Leadbetter shows you some important principles," the message read.

Leadbetter, a well-known golf coach and author on the game, operates more than two dozen golf academies in 13 countries, and claims the title of "master of the art of teaching the golf swing."

Symantec pegged the threat with a score of 8.5 out of possible 10, while Danish vulnerability tracker Secunia rated the vulnerability as "Extremely critical," its highest-possible threat level.

According to a Symantec, the bug is in Reader's and Acrobat's parsing of PDF files that contain malformed TIFF image files. Specifically, said the company in an alert to customers, "the issue occurs due to a heap-memory corruption issue in 'cooltype.dll.'"

CoolType is an Adobe font-rendering technology, similar to Microsoft's ClearType.

Adobe did not spell out a timetable for patching the Reader/Acrobat zero-day vulnerability, nor did it offer users any ad hoc defensive measures they could employ until a fix is ready.

The next regularly-scheduled patch date for Reader and Acrobat is Oct. 13, but Adobe has been known to issue so-called "out-of-band" emergency updates when active attacks spike.

An Adobe spokeswoman hinted that the latter could easily occur. "With exploit code publicly available, [the current limited-only attack] could change," she said, talking about the exploit that Parkour has posted online.

Parkour has not released the exploit publicly, however, but has password-protected the malicious PDF she discovered, and will release it only to people who e-mail her.

Symantec urged Reader and Acrobat users not to open PDFs from untrusted or unknown senders.

Link Posted: 9/9/2010 12:58:29 PM EDT
What virus?

Mac owner

Link Posted: 9/9/2010 1:02:08 PM EDT

Originally Posted By GiggleSmith:
What virus?

Mac owner


This one is infecting Mac's as well.
Link Posted: 9/9/2010 1:05:27 PM EDT
tag
Link Posted: 9/9/2010 1:05:41 PM EDT
I received a notice for a Firefox/Adobe upgrade today (like I have received 50 times before) and I permitted the upgrade.

A worm/virus called "Security Tool" took over my computer and would not let go.

I just received word from my computer Department that they were able to remove it.

Watch for Firefox upgrade notices.
Link Posted: 9/9/2010 1:06:50 PM EDT

Originally Posted By Enigma102083:

Originally Posted By GiggleSmith:
What virus?

Mac owner


This one is infecting Mac's as well.


(sorry. had to)

Link Posted: 9/9/2010 1:07:19 PM EDT
Large enterprise company I work for today got hit. Was amusing to watch people open this and watch it propagate.

Good times!
Link Posted: 9/9/2010 1:07:30 PM EDT
Another warning for ya'll:

If you get an email titled "nude photos of Nancy Pelosi," don't open it.

It could contain nude photos of Nancy Pelosi.

Link Posted: 9/9/2010 1:10:14 PM EDT

Originally Posted By Sub-MOA:

Originally Posted By Enigma102083:

Originally Posted By GiggleSmith:
What virus?

Mac owner


This one is infecting Mac's as well.


(sorry. had to)



Link Posted: 9/9/2010 1:10:15 PM EDT

Originally Posted By 1Bigdog:
I received a notice for a Firefox/Adobe upgrade today (like I have received 50 times before) and I permitted the upgrade.

A worm/virus called "Security Tool" took over my computer and would not let go.

I just received word from my computer Department that they were able to remove it.

Watch for Firefox upgrade notices.

The 3.6.9 upgrade was released yesterday. There's a 99.99999999999% chance that your virus problem had nothing to do with that.


Link Posted: 9/9/2010 1:10:59 PM EDT
Originally Posted By DanSharp:
Large enterprise company I work for today got hit. Was amusing to watch people open this and watch it propagate.

Good times!


It's been a long time since we've had a really good one. Ooh, this IS fun
Link Posted: 9/9/2010 1:19:20 PM EDT
Link Posted: 9/9/2010 1:20:07 PM EDT

Originally Posted By Sub-MOA:

Originally Posted By 1Bigdog:
I received a notice for a Firefox/Adobe upgrade today (like I have received 50 times before) and I permitted the upgrade.

A worm/virus called "Security Tool" took over my computer and would not let go.

I just received word from my computer Department that they were able to remove it.

Watch for Firefox upgrade notices.

The 3.6.9 upgrade was released yesterday. There's a 99.99999999999% chance that your virus problem had nothing to do with that.



Well.....

When I permitted the Firefox/Adobe download the virus was instantaneous.
Link Posted: 9/9/2010 1:20:56 PM EDT
Adobe.
Link Posted: 9/9/2010 1:25:28 PM EDT
Originally Posted By 1Bigdog:

Originally Posted By Sub-MOA:

Originally Posted By 1Bigdog:
I received a notice for a Firefox/Adobe upgrade today (like I have received 50 times before) and I permitted the upgrade.

A worm/virus called "Security Tool" took over my computer and would not let go.

I just received word from my computer Department that they were able to remove it.

Watch for Firefox upgrade notices.

The 3.6.9 upgrade was released yesterday. There's a 99.99999999999% chance that your virus problem had nothing to do with that.



Well.....

When I permitted the Firefox/Adobe download the virus was instantaneous.


A trojan could very well masquerade as a Firefox/Adobe update. I wouldn't update *anything* for a bit other than virus definitions.
Link Posted: 9/9/2010 1:25:55 PM EDT

Originally Posted By 1Bigdog:

Originally Posted By Sub-MOA:

Originally Posted By 1Bigdog:
I received a notice for a Firefox/Adobe upgrade today (like I have received 50 times before) and I permitted the upgrade.

A worm/virus called "Security Tool" took over my computer and would not let go.

I just received word from my computer Department that they were able to remove it.

Watch for Firefox upgrade notices.

The 3.6.9 upgrade was released yesterday. There's a 99.99999999999% chance that your virus problem had nothing to do with that.



Well.....

When I permitted the Firefox/Adobe download the virus was instantaneous.

The worm under discussion in this thread is propagated by a jscript problem in adobe acrobat.
There are no AV signatures (that I'm aware of) pushed out yet.

The cure is to use a domain wide GPO to turn off jscript in acrobat.


This is the WIKI page for the issue YOU have -> http://en.wikipedia.org/wiki/Security_Tool
Link Posted: 9/9/2010 1:46:18 PM EDT
Additional information from our Microsoft TAM:

FYI… it also appears to be able to spread via network by scanning for available drive letters from C: to H:

Microsoft Protection Center

Spreads via...
Network shares
Worm:Win32/Visal.A attempts to spread to other computers in the network. If it finds an accessible computer in the network, it attempts to copy the following files to drives C: to H:, if found, of that computer:


  • N73.Image12.03.2009.JPG.scr - copy of itself

  • autorun.inf - autorun file that allows the worm copy to automatically run when the drive is accessed and Autorun is enabled



It also creates a copy of itself as "N73.Image12.03.2009.JPG.scr" in shared folders with the following names:


  • Music

  • Print

  • NewFolder



Email
Worm:Win32/Visal.A also spreads via spammed email messages. The email may have the following details:

Body:
Hello:

This is The Document I told you about,you can find it Here.<link to worm copy>

Please check it and reply as soon as possible.

Cheers,


E-95
Link Posted: 9/9/2010 1:49:55 PM EDT
We are good here. No infections or attempts. After reading this thread, we made things a wee bit more tighter.

Link Posted: 9/9/2010 2:33:49 PM EDT

Originally Posted By GiggleSmith:
What virus?

Mac owner


You silly Mac owners!

Dumb enough to buy one, dumb enough to believe they can't be infected
Link Posted: 9/9/2010 2:45:28 PM EDT
[Last Edit: 9/9/2010 2:48:29 PM EDT by Sub-MOA]
Newer email subject line:

"Just for you"

to go with

"Here you have"

––––

Also useful to check ALL user accessible shares for the files "N73.Image12.03.2009.JPG.scr"

If you get hit with this one you'll know it pretty quick.
Link Posted: 9/9/2010 2:57:25 PM EDT
It hit my company as well. I didnt click on any links, but I recieved about 20 emails.
Link Posted: 9/9/2010 3:01:40 PM EDT
Adobe.

My surprised face ->
Link Posted: 9/9/2010 3:02:23 PM EDT

Originally Posted By MustardTiger:

Originally Posted By Sub-MOA:

Originally Posted By Enigma102083:

Originally Posted By GiggleSmith:
What virus?

Mac owner


This one is infecting Mac's as well.


(sorry. had to)




LOL!!!!!!

So.... let me get this straight..... you open an e-mail, and then you're infected!?

And people keep buying the product?

No, really.... what's the punch line?
Link Posted: 9/9/2010 3:22:37 PM EDT
[Last Edit: 9/9/2010 3:24:50 PM EDT by sasquatch98]
Originally Posted By Mazeman:

Originally Posted By MustardTiger:

Originally Posted By Sub-MOA:

Originally Posted By Enigma102083:

Originally Posted By GiggleSmith:
What virus?

Mac owner


This one is infecting Mac's as well.




(sorry. had to)




LOL!!!!!!

So.... let me get this straight..... you open an e-mail, and then you're infected!?

And people keep buying the product?

No, really.... what's the punch line?


Strange all my macs and my iPad seem to be working fine. By the way macs don't use .dll or .inf files, the files being used by the exploit so at worst adobe reader will crash ( if you're a fucking moron and open attachments you weren't expecting) plus I don't know anyone who uses adobe reader on the Mac seeing as how the built in app preview is 1000000% better.

Link Posted: 9/9/2010 4:46:21 PM EDT
Originally Posted By 1Bigdog:
Well.....

When I permitted the Firefox/Adobe download the virus was instantaneous.


There's no such thing "Firefox/Adobe," they are two different companies You have no idea what you're talking about.
Link Posted: 9/9/2010 5:38:33 PM EDT
Originally Posted By Mazeman:

Originally Posted By MustardTiger:

Originally Posted By Sub-MOA:

Originally Posted By Enigma102083:

Originally Posted By GiggleSmith:
What virus?

Mac owner


This one is infecting Mac's as well.


(sorry. had to)




LOL!!!!!!

So.... let me get this straight..... you open an e-mail, and then you're infected!?

And people keep buying the product?

No, really.... what's the punch line?

No, you open an email, then open an attachment with Adobe Reader, and you are infected.
No, the product is free.
The typically clueless Apple koolaid drinkers pipe up about how they are not affected, when the exact same exploit works the exact same way, on the same products on MACs.
Link Posted: 9/9/2010 5:42:24 PM EDT
Originally Posted By sasquatch98:

Strange all my macs and my iPad seem to be working fine. By the way macs don't use .dll or .inf files, the files being used by the exploit so at worst adobe reader will crash ( if you're a fucking moron and open attachments you weren't expecting) plus I don't know anyone who uses adobe reader on the Mac seeing as how the built in app preview is 1000000% better.

[/div]
The exploit works the same way in Acrobat on all platforms: it allows remote code execution, and has nothing to do with .dll or .inf files. If anyone bothered, they could make a version that had similar results on other platforms. There are plenty of PDF readers available for PCs as well, that are not affected.

This really has nothing to do with PC vs MAC, it is an exploit in Adobe's software, which I think everyone can agree, is generally crap.
Link Posted: 9/9/2010 5:47:27 PM EDT
Nothing in my Yahoo mail account.


And I mean nothing. Looks like we're all good here.
Link Posted: 9/9/2010 5:49:05 PM EDT
They hit us.
Link Posted: 9/9/2010 6:07:15 PM EDT
An Adobe exploit? You don't say...
Link Posted: 9/9/2010 6:12:52 PM EDT
Link Posted: 9/9/2010 7:14:04 PM EDT
It might infect Acrobat on a Mac, but the question remains as to whether it's successful beyond that.

Word macro viruses spread on macs but the payloads never worked. They were mostly harmless until you started sending files out to others.

Link Posted: 9/10/2010 9:58:01 AM EDT
Adobe pushed the patch early this morning.
Link Posted: 9/10/2010 3:59:00 PM EDT
[Last Edit: 9/13/2010 9:17:01 AM EDT by Tango7]
Originally Posted By Erik_the_Red:
Originally Posted By 1Bigdog:
Well.....

When I permitted the Firefox/Adobe download the virus was instantaneous.


There's no such thing "Firefox/Adobe," they are two different companies You have no idea what you're talking about.

Well OK <removed - T7> ...it was a Firefox update notice that also said that I had to install the latest version of Adobe and to "click here" to do this.

Is that better?

http://www.techjaws.com/security-tool-installs-as-a-firefox-and-flash-update/
Link Posted: 9/10/2010 4:04:01 PM EDT
Originally Posted By Enigma102083:

Originally Posted By GiggleSmith:
What virus?

Mac owner


This one is infecting Mac's as well.


How so?

Link Posted: 9/10/2010 6:29:31 PM EDT

Originally Posted By jeremy223:
Originally Posted By Mazeman:

Originally Posted By MustardTiger:

Originally Posted By Sub-MOA:

Originally Posted By Enigma102083:

Originally Posted By GiggleSmith:
What virus?

Mac owner


This one is infecting Mac's as well.


(sorry. had to)




LOL!!!!!!

So.... let me get this straight..... you open an e-mail, and then you're infected!?

And people keep buying the product?

No, really.... what's the punch line?

No, you open an email, then open an attachment with Adobe Reader, and you are infected.
No, the product is free.
The typically clueless Apple koolaid drinkers pipe up about how they are not affected, when the exact same exploit works the exact same way, on the same products on MACs.
"Clueless"

I'm not the one who's afraid to open my mail.

And I have yet to see a thread (let alone a single post) where a Mac owner was "affected".

Party on, clue-full.

Link Posted: 9/12/2010 9:50:44 PM EDT
[Last Edit: 9/13/2010 9:17:22 AM EDT by Tango7]
Originally Posted By 1Bigdog:

Originally Posted By Erik_the_Red:
Originally Posted By 1Bigdog:
Well.....

When I permitted the Firefox/Adobe download the virus was instantaneous.


There's no such thing "Firefox/Adobe," they are two different companies You have no idea what you're talking about.

Well OK <removed - T7> ...it was a Firefox update notice that also said that I had to install the latest version of Adobe and to "click here" to do this.

Is that better?

http://www.techjaws.com/security-tool-installs-as-a-firefox-and-flash-update/



Except that the OP is posting about an Adobe exploit and you got hit with a garden variety vundo/smitfraud ransomware. Totally different in that the first exploits a security hole to automatically drop a trojan and the latter relies on the stupidity of the user to click "Yes, please infect my system!" You still have absolutely no clue what you're talking about.

You clicked on a pop-up and allowed your system to be infected and I'm the <removed - T7> ?
Arrow Left Previous Page
Page / 2
Top Top