Service desk warns of malicious e-mail, files

The ITD Service Desk reports a malicious e-mail with a link to a malicious file has been targeting government and businesses. The e-mail subject line may contain "Here You Have" and "Just For You."  The sender appears under a variety of identifiers.

The spam contains a link to a document; the link looks like it is to a PDF, but is, in fact, to an “SCR” file (supposedly a screen saver) and served from a different domain from where the link appears to point.  The original file seems to have been removed from the site, so further infections from the initial variant should not occur, but new variants potentially could follow.  The SCR, when executed, downloads a number of additional tools to enable the attacker to infect the computer.  

The malware attempts to deactivate most anti-virus packages.  

Once infecting a computer, the worm attempts to send the aforementioned message to e-mail address book recipients.  It also can spread through accessible remote machines, mapped drives and removable media via Autorun replication.

McAfee's Avert Labs were among the first to identify and report the malware; the company already has released a new signature file to stop this infection.  If the virus changes, it's possible that updates will be needed for future variants.

Please be sure to not open e-mail that is from unknown senders, or e-mails from friends that appear to be highly unusual or unexpected.  Be sure to keep your home anti-virus and anti-spyware up to date, and your Microsoft, Adobe and other software patches up to date.

Note: ITD Websense is currently blocking links to the known malware site and executable file. Infected emails sent to ITD e-mail addresses are being blocked but employees should be cautious if accessing home e-mail.

Published 9-10-2010