New Malware Uses Old-Fashioned Method: You

Everything old is new again.  Security firms are warning of an old-style worm transferred via email that is spreading rapidly in the wild.  It uses email attachments with the subject line 'Here you have', and contains a .scr file disguised as a PDF.

The email asks the recipient to check the contents, which activates the malware. "The .scr when executed downloads a number of additional tools, one of which appears to attempt to check in with a potential controller," said Marcus Sachs, director of the SANS Institute.  "The malware attempts to deactivate most anti-virus packages, and uses the infected user's Outlook to send out its spam."

The attack has spread quickly, with a reported 60,000 infections including outbreaks at ABC/Disney, Google, Coca-Cola and Nasa.

Security firm McAfee posted in a blog  that the malware installs an application named CSRSS.EXE on the infected machine, and then uses email, accessible remote machines, mapped drives and removable media to send itself on.  It also installs UPX packed password recovery tools (ChromePass, OperaPassview), a UPX packed Sysinternals tool (PSExec) and a malicious HOSTS file.