User Panel
Posted: 9/9/2010 12:23:44 PM EDT
We just got this from our Microsoft rep:
There is a major virus going around affecting LOTS of companies today. The subject contains “Here you have”
Please warn your people not to open any email with this subject, or better yet stop them before they get in. I know we have at least one case within our firm of about 4,500 employees (I'm the anti-virus guy among other things like AD, DNS, DHCP, FTP, etc.). I'm trying to get some further info from our Microsoft rep. Stay tuned. E-95 |
|
yup, got about 7 different emails with that title today at work.
|
|
There have apparently been a flood of cases opened up with Microsoft's Product Support Services Security group. The latest response from our rep is as follows:
The virus appears to arrive with a link to a *.scr file that looks like a PDF link. When users click it, it begins sending emails using the GAL or contacts. We are not totally sure of the origin at this point but wanted to send a heads up. The email subject is “Here you have”.
E-95 |
|
I have a few hundred copies of it in my mailbox and my blackberry is about to crash. The file is blocked by our proxy server, but our lusers working remotely are all getting it. Probably doesn't help that we are still using IE6.
Does anyone know what the exploit is? Is it in IE, Acrobat? |
|
Quoted: I have a few hundred copies of it in my mailbox and my blackberry is about to crash. The file is blocked by our proxy server, but our lusers working remotely are all getting it. Probably doesn't help that we are still using IE6. Does anyone know what the exploit is? Is it in IE, Acrobat? Still on IE6? Why?! |
|
We got hit pretty hard at work with that today. It's amazing how many stupid users still clicked on the link after multiple emails sent by MIS and INFOSEC saying not to.
|
|
One of our engineers just found this on McAfee's site:
McAfee has received confirmation that some customers have received large volumes of spam containing a link to malware, a mass-mailing worm identified as VBMania. The symptom reported thus far is that the spam volume is overwhelming the email infrastructure.
Static URLs in the email link to a .SCR file. McAfee recommends that customers filter for the URL on gateway and email servers, and block the creation of .SCR files on endpoint systems. E-95 |
|
Quoted: Thanks, looks like our Spam Filter has been putting the smack down on them.We just got this from our Microsoft rep: There is a major virus going around affecting LOTS of companies today. The subject contains "Here you have” Please warn your people not to open any email with this subject, or better yet stop them before they get in. I know we have at least one case within our firm of about 4,500 employees (I'm the anti-virus guy among other things like AD, DNS, DHCP, FTP, etc.). I'm trying to get some further info from our Microsoft rep. Stay tuned. E-95 |
|
Quoted:
Quoted:
I have a few hundred copies of it in my mailbox and my blackberry is about to crash. The file is blocked by our proxy server, but our lusers working remotely are all getting it. Probably doesn't help that we are still using IE6. Does anyone know what the exploit is? Is it in IE, Acrobat? Still on IE6? Why?! Some crap, old timesheet system we use that doesn't work with any modern browsers. I have to run firefox portable from my temp directory |
|
The virus is a adobe exploit.
I think this is it http://blog.trendmicro.com/new-zero-day-adobe-acrobat-vulnerability-exploited/ Sep9 <small>1:43 am (UTC-7) | by Jonathan Leopando (Technical Communications) </small> Adobe has issued a new security advisory concerning Adobe Acrobat, its line of PDF software. All current versions of Reader and Acrobat are known to be vulnerable, across all supported platforms–Windows and Mac for Acrobat, and Windows, Mac, and Unix for Reader. According to the advisory, an attacker could use the vulnerability to "to take control of the affected system”, meaning random code could be executed on user systems. Trend Micro has already found malicious files that exploit this vulnerability. These are detected as TROJ_PIDIEF.WM. In turn, this file drops a downloader (TROJ_DLOADR.WM) which leads to another downloader, TROJ_CHIFRAX.BU. More PIDIEF variants that exploit this vulnerability are sure to be spotted in the next few days. The URLs where TROJ_CHIFRAX.BU is located and downloads malware from are currently unavailable. Curiously, even if the website was registered on the .US top-level domain, WHOIS records indicate the registrant is in Hong Kong. In addition, the servers that actually host the site are located in Germany and the United States. This indicates that some effort was placed into hiding the actual persons responsible for this attack. more info about how the virus writers are trying to hide their identity in the article... no fix from adobe yet, supposedly all adobe acrobat versions are vulnerable, and i guess, adobe doesn't consider this exploit to be a problem since supposedly the bug was known |
|
The CSRM team is showing their 1337 skillz. It's not even hitting our spam filters at the end-point.
|
|
And no fix from Trend yet either. They expect to have a new pattern file released in a couple of hours. Here's the latest from our Microsoft TAM:
Start Time: 9/9/2010 12:00:00 PM [Pacific Time] Issue Overview:
E-95 |
|
another article on the virus
http://www.computerworld.com/s/article/9184146/Hackers_exploit_new_PDF_zero_day_bug_warns_Adobe Hackers exploit new PDF zero-day bug, warns AdobeCriminals conduct 'limited' attacks with rigged PDF attachmentsBy Gregg Keizer September 8, 2010 04:09 PM ET Computerworld - Adobe today warned users that attacks have begun exploiting an unpatched bug in its popular Reader and Acrobat PDF viewing and creation software. The company issued an advisory on short notice today, saying that it had learned of in-the-wild attacks only on Tuesday. "A critical vulnerability exists in Adobe Reader 9.3.4 and earlier versions for Windows, Macintosh and UNIX, and Adobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh," Adobe's warning read. This vulnerability could cause a crash and potentially allow an attacker to take control of the affected system. "Adobe is in the process of evaluating the schedule for an update to resolve this vulnerability," the advisory added. Other than to say that "at this point, [attacks] appear to be limited," Adobe offered little information on the bug today. But Mila Parkour, the independent security researcher who reported the bug to Adobe on Tuesday, had plenty in a post to her Contagio Malware Dump blog. Parkour uncovered a malicious e-mail message with a rogue PDF attachment that urged recipients to open the document. "Want to improve your score? In these golf tips, David Leadbetter shows you some important principles," the message read. Leadbetter, a well-known golf coach and author on the game, operates more than two dozen golf academies in 13 countries, and claims the title of "master of the art of teaching the golf swing." Symantec pegged the threat with a score of 8.5 out of possible 10, while Danish vulnerability tracker Secunia rated the vulnerability as "Extremely critical," its highest-possible threat level. According to a Symantec, the bug is in Reader's and Acrobat's parsing of PDF files that contain malformed TIFF image files. Specifically, said the company in an alert to customers, "the issue occurs due to a heap-memory corruption issue in 'cooltype.dll.'" CoolType is an Adobe font-rendering technology, similar to Microsoft's ClearType. Adobe did not spell out a timetable for patching the Reader/Acrobat zero-day vulnerability, nor did it offer users any ad hoc defensive measures they could employ until a fix is ready. The next regularly-scheduled patch date for Reader and Acrobat is Oct. 13, but Adobe has been known to issue so-called "out-of-band" emergency updates when active attacks spike. An Adobe spokeswoman hinted that the latter could easily occur. "With exploit code publicly available, [the current limited-only attack] could change," she said, talking about the exploit that Parkour has posted online. Parkour has not released the exploit publicly, however, but has password-protected the malicious PDF she discovered, and will release it only to people who e-mail her. Symantec urged Reader and Acrobat users not to open PDFs from untrusted or unknown senders. |
|
Quoted: What virus? Mac owner This one is infecting Mac's as well. |
|
I received a notice for a Firefox/Adobe upgrade today (like I have received 50 times before) and I permitted the upgrade.
A worm/virus called "Security Tool" took over my computer and would not let go. I just received word from my computer Department that they were able to remove it. Watch for Firefox upgrade notices. |
|
Quoted: Quoted: What virus? Mac owner This one is infecting Mac's as well. (sorry. had to) |
|
Large enterprise company I work for today got hit. Was amusing to watch people open this and watch it propagate.
Good times! |
|
Another warning for ya'll:
If you get an email titled "nude photos of Nancy Pelosi," don't open it. It could contain nude photos of Nancy Pelosi. |
|
Quoted: Quoted: Quoted: What virus? Mac owner This one is infecting Mac's as well. (sorry. had to) |
|
Quoted: I received a notice for a Firefox/Adobe upgrade today (like I have received 50 times before) and I permitted the upgrade. A worm/virus called "Security Tool" took over my computer and would not let go. I just received word from my computer Department that they were able to remove it. Watch for Firefox upgrade notices. The 3.6.9 upgrade was released yesterday. There's a 99.99999999999% chance that your virus problem had nothing to do with that. |
|
Quoted:
Large enterprise company I work for today got hit. Was amusing to watch people open this and watch it propagate. Good times! It's been a long time since we've had a really good one. Ooh, this IS fun |
|
|
Quoted: Quoted: I received a notice for a Firefox/Adobe upgrade today (like I have received 50 times before) and I permitted the upgrade. A worm/virus called "Security Tool" took over my computer and would not let go. I just received word from my computer Department that they were able to remove it. Watch for Firefox upgrade notices. The 3.6.9 upgrade was released yesterday. There's a 99.99999999999% chance that your virus problem had nothing to do with that. Well..... When I permitted the Firefox/Adobe download the virus was instantaneous. |
|
Quoted:
Quoted:
Quoted:
I received a notice for a Firefox/Adobe upgrade today (like I have received 50 times before) and I permitted the upgrade. A worm/virus called "Security Tool" took over my computer and would not let go. I just received word from my computer Department that they were able to remove it. Watch for Firefox upgrade notices. The 3.6.9 upgrade was released yesterday. There's a 99.99999999999% chance that your virus problem had nothing to do with that.
Well..... When I permitted the Firefox/Adobe download the virus was instantaneous. A trojan could very well masquerade as a Firefox/Adobe update. I wouldn't update *anything* for a bit other than virus definitions. |
|
Quoted: Quoted: Quoted: I received a notice for a Firefox/Adobe upgrade today (like I have received 50 times before) and I permitted the upgrade. A worm/virus called "Security Tool" took over my computer and would not let go. I just received word from my computer Department that they were able to remove it. Watch for Firefox upgrade notices. The 3.6.9 upgrade was released yesterday. There's a 99.99999999999% chance that your virus problem had nothing to do with that. Well..... When I permitted the Firefox/Adobe download the virus was instantaneous. The worm under discussion in this thread is propagated by a jscript problem in adobe acrobat. There are no AV signatures (that I'm aware of) pushed out yet. The cure is to use a domain wide GPO to turn off jscript in acrobat. This is the WIKI page for the issue YOU have -> http://en.wikipedia.org/wiki/Security_Tool |
|
Additional information from our Microsoft TAM:
FYI… it also appears to be able to spread via network by scanning for available drive letters from C: to H:
Microsoft Protection Center Spreads via... Network shares Worm:Win32/Visal.A attempts to spread to other computers in the network. If it finds an accessible computer in the network, it attempts to copy the following files to drives C: to H:, if found, of that computer:
It also creates a copy of itself as "N73.Image12.03.2009.JPG.scr" in shared folders with the following names:
Worm:Win32/Visal.A also spreads via spammed email messages. The email may have the following details: Body: Hello: This is The Document I told you about,you can find it Here.<link to worm copy> Please check it and reply as soon as possible. Cheers, E-95 |
|
We are good here. No infections or attempts. After reading this thread, we made things a wee bit more tighter.
|
|
Quoted: What virus? Mac owner You silly Mac owners! Dumb enough to buy one, dumb enough to believe they can't be infected |
|
Newer email subject line:
"Just for you" to go with "Here you have" –––– Also useful to check ALL user accessible shares for the files "N73.Image12.03.2009.JPG.scr" If you get hit with this one you'll know it pretty quick. |
|
It hit my company as well. I didnt click on any links, but I recieved about 20 emails.
|
|
Quoted: Quoted: Quoted: Quoted: What virus? Mac owner This one is infecting Mac's as well. (sorry. had to) LOL!!!!!! So.... let me get this straight..... you open an e-mail, and then you're infected!? And people keep buying the product? No, really.... what's the punch line?
|
|
Quoted:
Quoted:
Quoted:
Quoted:
Quoted:
What virus? Mac owner This one is infecting Mac's as well. (sorry. had to) LOL!!!!!! So.... let me get this straight..... you open an e-mail, and then you're infected!? And people keep buying the product? No, really.... what's the punch line? Strange all my macs and my iPad seem to be working fine. By the way macs don't use .dll or .inf files, the files being used by the exploit so at worst adobe reader will crash ( if you're a fucking moron and open attachments you weren't expecting) plus I don't know anyone who uses adobe reader on the Mac seeing as how the built in app preview is 1000000% better. |
|
Quoted:
Well..... When I permitted the Firefox/Adobe download the virus was instantaneous. There's no such thing "Firefox/Adobe," they are two different companies You have no idea what you're talking about. |
|
Quoted:
Quoted:
Quoted:
Quoted:
Quoted:
What virus? Mac owner This one is infecting Mac's as well. (sorry. had to) LOL!!!!!! So.... let me get this straight..... you open an e-mail, and then you're infected!? And people keep buying the product? No, really.... what's the punch line? No, you open an email, then open an attachment with Adobe Reader, and you are infected. No, the product is free. The typically clueless Apple koolaid drinkers pipe up about how they are not affected, when the exact same exploit works the exact same way, on the same products on MACs. |
|
Quoted:
Strange all my macs and my iPad seem to be working fine. By the way macs don't use .dll or .inf files, the files being used by the exploit so at worst adobe reader will crash ( if you're a fucking moron and open attachments you weren't expecting) plus I don't know anyone who uses adobe reader on the Mac seeing as how the built in app preview is 1000000% better. [/div] The exploit works the same way in Acrobat on all platforms: it allows remote code execution, and has nothing to do with .dll or .inf files. If anyone bothered, they could make a version that had similar results on other platforms. There are plenty of PDF readers available for PCs as well, that are not affected. This really has nothing to do with PC vs MAC, it is an exploit in Adobe's software, which I think everyone can agree, is generally crap. |
|
Nothing in my Yahoo mail account.
And I mean nothing. Looks like we're all good here. |
|
Hit my work hard to do, IT was scurrying... their advice was to call anybody who sends you an email with an attachment or a url to make sure they actually sent it... REALLY? I get around 100 emails a day with url's or attachments.
|
|
It might infect Acrobat on a Mac, but the question remains as to whether it's successful beyond that.
Word macro viruses spread on macs but the payloads never worked. They were mostly harmless until you started sending files out to others. |
|
Quoted:
Quoted:
Well..... When I permitted the Firefox/Adobe download the virus was instantaneous. There's no such thing "Firefox/Adobe," they are two different companies You have no idea what you're talking about. Well OK <removed - T7> ...it was a Firefox update notice that also said that I had to install the latest version of Adobe and to "click here" to do this. Is that better? http://www.techjaws.com/security-tool-installs-as-a-firefox-and-flash-update/ |
|
Quoted:
Quoted:
What virus? Mac owner This one is infecting Mac's as well. How so? |
|
Quoted: "Clueless"Quoted: Quoted: Quoted: Quoted: Quoted: What virus? Mac owner This one is infecting Mac's as well. (sorry. had to) LOL!!!!!! So.... let me get this straight..... you open an e-mail, and then you're infected!? And people keep buying the product? No, really.... what's the punch line? No, you open an email, then open an attachment with Adobe Reader, and you are infected. No, the product is free. The typically clueless Apple koolaid drinkers pipe up about how they are not affected, when the exact same exploit works the exact same way, on the same products on MACs. I'm not the one who's afraid to open my mail. And I have yet to see a thread (let alone a single post) where a Mac owner was "affected". Party on, clue-full.
|
|
Quoted:
Quoted:
Quoted:
Well..... When I permitted the Firefox/Adobe download the virus was instantaneous. There's no such thing "Firefox/Adobe," they are two different companies You have no idea what you're talking about. Well OK <removed - T7> ...it was a Firefox update notice that also said that I had to install the latest version of Adobe and to "click here" to do this. Is that better? http://www.techjaws.com/security-tool-installs-as-a-firefox-and-flash-update/ Except that the OP is posting about an Adobe exploit and you got hit with a garden variety vundo/smitfraud ransomware. Totally different in that the first exploits a security hole to automatically drop a trojan and the latter relies on the stupidity of the user to click "Yes, please infect my system!" You still have absolutely no clue what you're talking about. You clicked on a pop-up and allowed your system to be infected and I'm the <removed - T7> ? |
|
Sign up for the ARFCOM weekly newsletter and be entered to win a free ARFCOM membership. One new winner* is announced every week!
You will receive an email every Friday morning featuring the latest chatter from the hottest topics, breaking news surrounding legislation, as well as exclusive deals only available to ARFCOM email subscribers.
AR15.COM is the world's largest firearm community and is a gathering place for firearm enthusiasts of all types.
From hunters and military members, to competition shooters and general firearm enthusiasts, we welcome anyone who values and respects the way of the firearm.
Subscribe to our monthly Newsletter to receive firearm news, product discounts from your favorite Industry Partners, and more.
Copyright © 1996-2024 AR15.COM LLC. All Rights Reserved.
Any use of this content without express written consent is prohibited.
AR15.Com reserves the right to overwrite or replace any affiliate, commercial, or monetizable links, posted by users, with our own.