'Here You Have' Virus E-Mail Spreads Online
"Here you have" virus e-mail disrupts corporate e-mail.
Sept. 9, 2010 -- Here you have... a royal pain in the neck.
A global e-mail virus spammed inboxes Thursday afternoon, slowing -- and in some cases halting -- work at offices around the world as employees watched their inboxes inexplicably fill with e-mails under the subject line "Here you have." Some workers were forced to go without e-mail altogether, as the flood of spam put their services out of commission.
Organizations including NASA, Comcast, AIG, Disney, Proctor & Gamble, Florida Department of Transportation and Wells Fargo are just a few of the organizations apparently affected by the worm, which appears to have sent out hundreds of thousands, if not millions of e-mails.
On Friday, the Atlanta-based security firm SecureWorks said it found a possible link between the worm attack and a cyber-jihad organization called "Brigades of Tariq ibn Ziyad".
It said the worm was first seen in August, although the attack was much smaller in scale.
The company said both the August worm and the one that hit corporate e-mail services Thursday referenced a known Libyan hacker who has tried to unite other like-minded hackers in a cyber-jihad.
SecureWorks said that according to a 2008 posting from the hacker, his goal is "to penetrate U.S. agencies belonging to the U.S. Army."
When contacted by ABCNews.com, Dmitri Alperovitch, vice president of threat research at McAfee, told ABCNews.com that the company was investigating the attack. Although McAfee did not disclose how widespread the attack was, around 4 p.m. Thursday afternoon, the subject of the spam e-mail, "Here you have," was the second hottest search on Google trends.
"We do know that it's essentially an e-mail based worm that's propagating that has a link that alleges to be a pdf document that it wants the user to click on," Alperovitch said. "In reality, it's a piece of malware that's obfuscating as a pdf and it has the capabilities to spread virally once it's installed on your machine."
Later, the company published a report about the virus on its website, saying that the risk for both home and corporate e-mail is "low." McAfee's report also identified the spam as a Trojan and said the origin is unknown.
On its blog, McAfee said that because multiple variants of the worm are spreading, it "may take some time to work through them all to paint a clearer picture."
E-Mail Subject: 'Here You Have.' 'Just For You'
One version of the spam e-mail simply says, "Hello: This is The Document I told you about, you can find it here" and includes a link that appears to be a pdf document.
Another version of the worm includes the subject "Just For you" and says "This is The Free Dowload Sex Movies,you can find it Here."
If a user clicks the link and downloads the virus, it spreads to contacts in that individual's e-mail account and continues to propagate. McAfee also said that it attempts to stop and delete security services. McAfee says it has coverage for at least the main strain of the virus.
If you receive the messages, McAfee says to delete the message without clicking the link and alert your IT office.
Security firm Symantec said the worm appears to be a new malware attack but is similar to the "Anna Kournikova" virus from 2001, which also carried the subject "Here you have." (The virus tricked users into opening an e-mail message supposedly containing a picture of tennis player Anna Kournikova.)
Symantec speculates that the threat -- initially named Trojan.Horse but renamed to W32.Imsolk.A@mm -- originated from a botnet and appears to be hitting "many, many companies indiscriminantly."
"Once the threat copies itself to another machine, if a user even opens the folder that contains the threat on this new machine, this will launch the threat and cause it to spread further through both email and over shared drives," the company wrote in a bulletin.
Department of Homeland Security Officials Investigate Virus
Department of Homeland Security officials are looking into the virus and the U.S. Computer Emergency Readiness Team and DHS National Cyber Security Division are expected to issue a bulletin later today. They will also conduct forensic analysis to try and determine where the worm originated. A DHS official said that several federal departments and agencies are experiencing the virus, although the official would only confirm NASA.
"US-CERT has received multiple reports from a number of federal agencies and private sector entities experiencing an email worm...US-CERT is in the process of collecting and analyzing samples of the malware and has developed and disseminated mitigation strategies," said DHS press secretary Amy Kudwa in a statement.
A spokesman for the Florida Department of Transportation e-mail has been taken down at the agency because of the spam attack. He said six other agencies in Florida have also been hit by the virus.
While the trojan hindered communications, it hasn't had a major impact on operations, he said.
"It's not life and death, a bridge hasn't collapsed and killed anybody," said Nelson Hill, chief information officer for the Florida Department of Transportation.
Adobe systems on Tuesday advised computer security experts that there were vulnerabilities in the Adobe reader software, noting that hackers were looking to actively exploit a recently detected vulnerability. This could explain why the e-mail was being sent in a .pdf format.
NASA: 'Houston We Have a Problem... Spam'
As IT professionals raced to address the problem, annoyed employees took to Twitter to rant.
"Office servers offline, due to spam assault. No e-mail for anyone. Now maybe I can get some work done!" posted one employee.
"The world is coming to an end. The "here you have" email virus just took down times square," joked another.
NASA's Lunar Science Institute tweeted, "Houston, we have a problem... it's called spam."
ABC News' Jason Ryan, Marisa Bramwell, Lee Ferran and Sidney Wright contributed to this report.