Hacker Posts Video Claiming 'Here You Have' Worm

Sept. 13, 2010— -- A hacker nicknamed "Iraq resistance" appears to have posted a YouTube video Sunday in which he takes credit for the widespread e-mail virus that swept through corporate e-mail systems last week.

The video, which displays only a map of Spain's Andalusia region and the name of the virus, "Here You Have," identifies "Iraq resistance" as the leader of the Tarek Bia Ziad Group.

"Listen to me about the reasons behind the 9 September virus that affected NASA, Coca-Cola, Google and most American [companies]," the hacker says in a computerized voice. "What I wanted to say is that U.S. doesn't have the right to invade our people and steal oil under the name of nuclear weapons."

The hacker goes on to chastise Americans for being unfair in calling him (or her) a terrorist but not applying the same label to Terry Jones, the Florida pastor who called for people around the world to burn copies of the Koran on Sept. 11.

In the video, "Iraq resistance" also says that the virus wasn't as harmful as it could have been.

Security Firm Suspects Libyan Hacker Started 'Here You Have' Virus

"I don't like smashing and ... there were no computers smashed, as you know from the analysis report, I could smash all those infected, but I wouldn't. And don't use the word 'terrorist' please. I hope all people understand that I am not negative person," he says.

Even though the YouTube account used to post the video, "iqziad," is listed as originating from Spain, Atlanta-based security firm SecureWorks said it suspected that "Iraq resistance" is a Libyan hacker who has tried, since 2008, to unite other like-minded hackers in a cyberjihad.

SecureWorks said the worm first appeared in August, although that attack was much smaller in scale.

The company said both the August worm and the worm that hit corporate e-mail services last week referred to "Iraq resistance." SecureWorks said that according to a 2008 posting from the hacker, the hacker's goal is "to penetrate U.S. agencies belonging to the U.S. Army."

Joe Stewart, director of malware research at SecureWorks, said the hacker is part of a group called Brigades of Tariq ibn Ziyad. According to messages posted on an Internet forum (the messages been removed but are still cached in Google), the group said it had succeeded in hacking into military computers in the U.S., Germany and Iraq in 2009.

While the size of the group is unknown, Stewart said that posts reveal at least one other member in Egypt.

"So they were having apparently a campaign for a while to do more targeted attacks against U.S. military computers," he said. "It looks like from the text of the postings that we found that they actually were successful in not only hacking into some computers -- it looks like it was personal computers, probably of individual soldiers, not military networks. It looks like they actually did do some damage there. They said that they had managed to destroy a number of computers and obviously they can't destroy the hardware so we're assuming that they managed to trash the hard drive."

While this recent worm was not especially malicious, he said, it had been a while since a worm had been so widespread.

Name of Virus, 'Here You Have' Was Hot Google Trend

The massive "Here You Have" e-mail virus spammed inboxes Thursday afternoon, slowing -- and in some cases halting -- work at offices around the world as employees watched their inboxes inexplicably fill with e-mails. Some workers were forced to go without e-mail altogether, as the flood of spam put their services out of commission.

Organizations and companies affected by the worm, which appears to have triggered hundreds of thousands if not millions of e-mails, included NASA, Comcast, AIG, Disney, Procter & Gamble, the Florida Department of Transportation and Wells Fargo.

The spam flood was so widespread that around 4 p.m. Thursday the subject of the spam e-mail "Here you have" was the second-hottest search on Google trends.

Dmitri Alperovitch, vice president of threat research at McAfee, told ABCNews.com Thursday that the company was investigating the attack.

"We do know that it's essentially an e-mail based worm that's propagating that has a link that alleges to be a pdf document that it wants the user to click on," Alperovitch said. "In reality, it's a piece of malware that's obfuscating as a pdf and it has the capabilities to spread virally once it's installed on your machine."

E-Mail Subject: 'Here You Have' 'Just For You'

Later, the company published a report about the virus on its website, calling the risk for both home and corporate e-mail "low." McAfee's report also identified the spam as a Trojan and said its origin was unknown. On its blog, McAfee said that because multiple variants of the worm were spreading, it "may take some time to work through them all to paint a clearer picture."

One version of the spam e-mail says, "Hello: This is The Document I told you about, you can find it here" and includes a link to what appears to be a pdf document.

Another version of the worm includes the subject "Just For you" and says "This is The Free Dowload Sex Movies, you can find it Here."

If a user clicked the link and downloaded the virus, it spread to contacts in that individual's e-mail account and continued to propagate. McAfee also said that it tried to stop and delete security services. McAfee said it had coverage for at least the main strain of the virus.

Department of Homeland Security Officials Investigate Virus

If you receive the messages, McAfee said to delete them without clicking on the link and to alert your company's IT office.

Security firm Symantec said the worm appeared to be a new malware attack but was similar to the "Anna Kournikova" virus from 2001, which also carried the subject line "Here you have" (the virus tricked users into opening an e-mail message supposedly containing a picture of tennis player Anna Kournikova).

Symantec speculated that the threat -- initially named Trojan.Horse but renamed W32.Imsolk.A@mm -- originated from a botnet and seemed to be hitting "many, many companies indiscriminantly.

"Once the threat copies itself to another machine, if a user even opens the folder that contains the threat on this new machine, this will launch the threat and cause it to spread further through both e-mail and over shared drives," the company wrote in a bulletin.

Department of Homeland Security officials have looked into the origin of virus, along with the U.S. Computer Emergency Readiness Team and Department of Homeland Security National Cyber Security Division.

A Homeland Security official said that several federal departments and agencies were experiencing the virus, although the official would only confirm NASA.

"US-CERT has received multiple reports from a number of federal agencies and private sector entities experiencing an e-mail worm," said Homeland Security press secretary Amy Kudwa in a statement.

A spokesman for the Florida Department of Transportation said Thursday that e-mail had been taken down at the agency because of the spam attack. He said six other agencies in Florida had also been hit by the virus.While the Trojan hindered communications, it hadn't had a major impact on operations, he said.

Last Tuesday Adobe systems advised computer security experts that there were vulnerabilities in the Adobe reader software, noting that hackers were looking to actively exploit a recently detected vulnerability. This could explain why the e-mail was being sent in a .pdf format.

ABC News' Jason Ryan, Marisa Bramwell, Lee Ferran and Sidney Wright contributed to this report.