Email Worm Spreading Like Wildfire – W32.Imsolk/VBMania Variant

The New Acunetix V12 Engine


Oh this is a throw back to the 90s, a self-replicating e-mail worm based around a malicious screensaver (.scr) that sends itself to everyone in your address book. It seems this one is spreading fast though with hundreds of thousands of infections.

Reminds of the heydays of ILOVEYOU and Anna Kournikova.

A fast-moving email worm that began spreading on Thursday has been able to affect hundreds of thousands of computers worldwide, anti-virus provider Symantec warned.

The email arrives with the subject “Here you have.” An executable screensaver that’s disguised as a PDF document then tries to send the same message to everyone listed in the recipient’s address book. The .scr file is a variation of the W32.Imsolk.A@mm worm Symantec discovered last month.

In addition to spreading through email, it can propagate through mapped drives, autorun and instant messenger. It also has the ability to disable various security programs.

It’s slightly more advanced than the old versions though with the ability to spread through instant messaging (probably MSN Live Messenger) and also disable security programs.

Plus it’s harder to scan for as the malicious screensaver isn’t actually attached to the email but downloaded from a remote source, and from early reports – multiple remote sources.

The worm is a throwback to attacks not seen in almost a decade, when the Anna Kournikova and I Love You attacks wreaked havoc on email systems worldwide. The Here You Go worm appears to different in that the malicious payload is downloaded from a page on members.multimania.com, rather than being attached to the email. That could make efforts to eradicate the worm easier.

Then again, McAfee said multiple variants of the worm appear to be spreading, so it’s not yet clear that the malicious screensaver is hosted by a single source.

There’s more info available here:

Symantec – New Round of Email Worm, “Here you have”
McAfee – Widespread Reporting of “Here you have” Virus (aka W32/VBMania@MM)

Source: The Register

Posted in: Malware

, ,


Latest Posts:


RidRelay - SMB Relay Attack For Username Enumeration RidRelay – SMB Relay Attack For Username Enumeration
RidRelay is a Python-based tool to enumerate usernames on a domain where you have no credentials by using a SMB Relay Attack with low privileges.
NetBScanner - NetBIOS Network Scanner NetBScanner – NetBIOS Network Scanner
NetBScanner is a NetBIOS network scanner tool that scans all computers in the IP addresses range you choose, using the NetBIOS protocol.
Metta - Information Security Adversarial Simulation Tool Metta – Information Security Adversarial Simulation Tool
Metta is an information security preparedness tool in Python to help with adversarial simulation and assess security defense preparation and alerts.
Powershell-RAT - Gmail Exfiltration RAT Powershell-RAT – Gmail Exfiltration RAT
Powershell-RAT is a Python-based Gmail exfiltration RAT that can be used a Windows backdoor to send screenshots or other data as an e-mail attachment.
SCADA Hacking - Industrial Systems Woefully Insecure SCADA Hacking – Industrial Systems Woefully Insecure
It seems like SCADA hacking is still a topic in hacker conferences, and it should be with SCADA systems still driving power stations, manufacturing plants etc.
airgeddon - Wireless Security Auditing Script airgeddon – Wireless Security Auditing Script
Airgeddon is a Bash powered multi-use Wireless Security Auditing Script for Linux systems with an extremely extensive feature list.


2 Responses to Email Worm Spreading Like Wildfire – W32.Imsolk/VBMania Variant

  1. d3m4s1@d0v1v0 September 10, 2010 at 12:41 pm #

    Sweet! it has been a long time since those mails in the 90’s hehehe. Thanks for the info, now I have alerted the network administrators of my company.
    As allways, great info!

  2. James September 17, 2010 at 8:44 pm #

    McAfee has a free tool I reviewed, wrote about it here:
    http://mjameshall.com/web/journal/vbmania/