Defending Against “Here You Have” Or Visal.B Worm…
“Here you have” or Win32/Visal.B is a worm that spreads to other domain computers on a network through drives C – H and via email. When spreading through email, the message contains a link to the worm hosted on a remote server. The file icon resembles a PDF document to maximize the chance of execution….
“Here you have” or Win32/Visal.B is a worm that spreads to other domain computers on a network through drives C – H and via email. When spreading through email, the message contains a link to the worm hosted on a remote server. The file icon resembles a PDF document to maximize the chance of execution. The worm attempts to download arbitrary files and create a full-access share on the local computer as "updates".
UPDATE: Telegraph reports that the virus is spreading fast, read here
The worm gathers email addresses from contacts stored in Outlook. The email may have in one of the following formats and sent to others with an obfuscated link that points to a copy of the worm hosted on a remote site.
Example 1
Subject: Here you have
Body:
Hello:
This is The Document I told you about,you can find it Here.
http://www.sharedocuments.com/library/PDF_Document21.025542010.pdf
Please check it and reply as soon as possible.
Cheers,
Example 2
Subject: Just for you
Body:
Hello:
This is The Document I told you about,you can find it Here.
http://www.sharedocuments.com/library/PDF_Document21.025542010.pdf
Please check it and reply as soon as possible.
Cheers,
The worm may also search for email addresses stored in the contact list for the Internet chat application Yahoo! Messenger and send emails in the following format:
Example 3
Subject: hi
Body:
Hello:
This is The Free Dowload Sex Movies,you can find it Here.
http://www.sharemovies.com/library/SEX21.025542010.wmv
Enjoy Your Time.
Cheers,
Note: The link does not really point to a PDF document or Windows media movie file. The link directs users to download a copy of the worm from a user account on the domain "members.multimania.co.uk" as "PDF_Document21_025542010_pdf.scr".
Full info about this worm here
As an exchange admin, you can defend the spread of this worm through emails using transport rules. All we need to do is to create a transport rule which blocks the subject & urls given above. I will give the screenshots for the transport rule as they are self explanatory.
Below screenshot is for Exchange 2007. Select the action to “silently drop the message” in a 2007 transport rule. If you have a 2007 & 2010 mixed environment, transport rule has to be created twice, once on 2007 & then on 2010.
Make sure your antispam engines are up-to-date as well, if you are using Forefront Protection for Exchange.