'Here You Have' Virus E-Mail Spreads Online

"Here you have" virus e-mail disrupts corporate e-mail.

ByABC News
September 9, 2010, 4:10 PM

Sept. 9, 2010— -- Here you have... a royal pain in the neck.

A global e-mail virus spammed inboxes Thursday afternoon, slowing -- and in some cases halting -- work at offices around the world as employees watched their inboxes inexplicably fill with e-mails under the subject line "Here you have." Some workers were forced to go without e-mail altogether, as the flood of spam put their services out of commission.

Organizations including NASA, Comcast, AIG, Disney, Proctor & Gamble, Florida Department of Transportation and Wells Fargo are just a few of the organizations apparently affected by the worm, which appears to have sent out hundreds of thousands, if not millions of e-mails.

On Friday, the Atlanta-based security firm SecureWorks said it found a possible link between the worm attack and a cyber-jihad organization called "Brigades of Tariq ibn Ziyad".

It said the worm was first seen in August, although the attack was much smaller in scale.

The company said both the August worm and the one that hit corporate e-mail services Thursday referenced a known Libyan hacker who has tried to unite other like-minded hackers in a cyber-jihad.

SecureWorks said that according to a 2008 posting from the hacker, his goal is "to penetrate U.S. agencies belonging to the U.S. Army."

When contacted by ABCNews.com, Dmitri Alperovitch, vice president of threat research at McAfee, told ABCNews.com that the company was investigating the attack. Although McAfee did not disclose how widespread the attack was, around 4 p.m. Thursday afternoon, the subject of the spam e-mail, "Here you have," was the second hottest search on Google trends.

"We do know that it's essentially an e-mail based worm that's propagating that has a link that alleges to be a pdf document that it wants the user to click on," Alperovitch said. "In reality, it's a piece of malware that's obfuscating as a pdf and it has the capabilities to spread virally once it's installed on your machine."

Later, the company published a report about the virus on its website, saying that the risk for both home and corporate e-mail is "low." McAfee's report also identified the spam as a Trojan and said the origin is unknown.

On its blog, McAfee said that because multiple variants of the worm are spreading, it "may take some time to work through them all to paint a clearer picture."

One version of the spam e-mail simply says, "Hello: This is The Document I told you about, you can find it here" and includes a link that appears to be a pdf document.

Another version of the worm includes the subject "Just For you" and says "This is The Free Dowload Sex Movies,you can find it Here."

If a user clicks the link and downloads the virus, it spreads to contacts in that individual's e-mail account and continues to propagate. McAfee also said that it attempts to stop and delete security services. McAfee says it has coverage for at least the main strain of the virus.

If you receive the messages, McAfee says to delete the message without clicking the link and alert your IT office.

Security firm Symantec said the worm appears to be a new malware attack but is similar to the "Anna Kournikova" virus from 2001, which also carried the subject "Here you have." (The virus tricked users into opening an e-mail message supposedly containing a picture of tennis player Anna Kournikova.)

Symantec speculates that the threat -- initially named Trojan.Horse but renamed to W32.Imsolk.A@mm -- originated from a botnet and appears to be hitting "many, many companies indiscriminantly."

"Once the threat copies itself to another machine, if a user even opens the folder that contains the threat on this new machine, this will launch the threat and cause it to spread further through both email and over shared drives," the company wrote in a bulletin.