Infrastructure snapshots

The place where you will find posts for Microsoft infrastructure articles, info, latest news and offcourse articles that i create!

IMPORTANT EMAIL VIRUS Alert: Win32/Visal.B with a subject name of “Here you have”

IMPORTANT EMAIL VIRUS Alert: Win32/Visal.B with a subject name of “Here you have”

  • Comments 2
  • Likes

Take care… There is currently a new mass mailing worm that sends out thousands of messages from infected machines.

This message has a link to a file on the internet. The file in the link displays a .pdf but the Hyperlink is to a “_pdf.scr” file.

If you run the scr your machine will start sending out thousands of messages. This mail flow will cause some email servers to become unresponsive.

Currently in Exchange 2007 and 2010 you can mitigate the spread of this virus by adding a transport rule that drops the message. On exchange 2003 your options are to block this message with subject line rules by blocking subjects that contain "Here you have". Make sure that these messages are dropped and not quarantined. Also turn off notifications for this rule to make sure you don’t flood your server with notifications.

For already received mail, use ExMerge to remove the messages from mailboxes and delete mail sitting in the queue.

More information on this threat and how to use PowerShell to overcome it can be found here http://social.technet.microsoft.com/wiki/contents/articles/worm-win32-vb-wf.aspx

Comments
  • According to www.microsoft.com/.../Entry.aspx, the mail might also have other subjects such as "Just for you" and "hi". Should we block all three? Are there any others besides these three?

  • I'd advise to do the following:

    - Block all three subjects on your transport servers

    - Block SCR files as attachment

    - Update your file level AV

    - Update your Exchange AV

    - Run manual scan for your Exchange AV to harvest mailboxes that received the virus already before def update

    There might be more variants with more subjects later on, so the key is blocking SCR files, user awareness and make sure that latest AV defs are deployed.

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment