Threat Research & Response Blog
We have some updated information for you regarding Worm:Win32/Visal.B, known as the "Here you have" worm (with a SHA1, a unique identifier for the threat, of 0x0BA8387FAAF158379712F453A16596D2D1C9CFDC) that we also blogged about yesterday.
First, let us remind you of the two methods originally used by the worm to spread itself: It mass-emailed a link that pointed to malware, and it copies itself to local drives and network shares. The mass mailer takes advantage not only of local address lists in Outlook address book, but it also gathers Yahoo Messenger contacts by parsing files in the user’s %root%\Program Files\Yahoo!\Messenger\Profiles directory. Although it’s known for the "Here you have" subject, it can also use two others (“Just for you” and “Hi”). Details on the contents of the message are in our encyclopedia entry for Worm:Win32/Visal.B.
In any case, after the worm was discovered, the URL was rendered unreachable. Therefore, although the malware can still send spam, the malicious links are inactive, preventing the worm from spreading further using the spam vector. Although mailboxes can continue to fill up due to unprotected machines executing the malware, those emails will no longer be able to find any malware at the target URL.
Since the release of our signatures, our telemetry shows that the malware initially appeared in business environments in the US (98% of our reports as of 6:59 PM GMT 9/10/2010 have come from the US). Normally, well over 90% of our active malware telemetry is reported from our consumer base (predominantly Microsoft Security Essentials), with a smaller percent coming from business environments (predominantly Forefront Client Security). This balance is partially due to the uptake of consumers using Microsoft Security Essentials, but it’s also related to the fact that administrators in business environments, such as those using Forefront Client Security, often choose to disable threat reporting back to their antivirus vendor.
In the case of Visal.B, however, our telemetry is telling a very different story. For the first twelve hours of attack activity we monitored, 91% of the infections and infection attempts were reported from our corporate clients—the opposite of the pattern we normally see. Over the past few hours, that trend is starting to change, as the chart shows below. However, this threat clearly started out in the corporate environment, possibly a result of the initial email seed list used to send out the original malicious links.
Several threats have been found on these systems on the same day, and appear to be related. The most highly correlated threat is an Autorun component (not a surprise since it’s known that this threat uses USB and Autorun to propagate). The other two most highly correlated threats are password recovery tools, which might be used to steal passwords from the system.
For those who have large numbers of emails in their mailbox, they can be removed easily through "Subject search" (listed in our encyclopedia details). Rules can also be applied to make sure they no longer arrive in one’s mailbox.
It’s been a long time we’ve had a mass-mailing email worm. It’s heartening to see that we’ve learned and are able to dispatch this one quickly.
- Jimmy Kuo & Holly Stewart