New Email Worm Squirming Through Windows Users' Inboxes

Trailrunner7 writes "There appears to be an actual email worm in circulation right now, using the tried-and-true infection method of sending emails containing malicious executables to all of the names in a user's email address book. The worm arrives via emails with the subject line 'Here You Have' or something similar, and the messages contain a link to a site that will download a malicious file to the victim's PC. The malware then drops itself into the Windows directory with a file name of CSRSS.EXE, which is identical to a legitimate Windows file. From there, it's 2001 all over again, as the worm attempts to mail itself to all of the contacts in the victim's Outlook address book."

Re:Dealing with this mess...

[aarner]

More troubling, why does no one ever demand some friggin' accountability from those criminally incompetent "security" vendors. This worm is not some brand-spankin-new, just-released-today threat. The first entry in microsoft's web site for Worm:Win32/Visal.A can be found here http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FVisal.A - It went up on August 4 2010 and was updated on August 19 2010. The full text of the email can be found at that site, as well as a list of infection symptoms, spread vectors, and URL patterns of the payload. My own employer spends millions of dollars per year on websense to keep me safe from gmail and youtube, symantec A/V to keep me safe from 30% of my laptop's performance, and a myriad of other safety and security products.

You'd think that a firm like webNonSense would have the resources to add the payload sites to their list of "naughty" websites. Although it would be a pretty big undertaking for them, after all the worm/trojan does have a huge set of THREE FUCKING URL PATTERNS that it uses to link to the payload. That's a pretty tall order to keep track of 3 whole URL patterns. For example, they start with sharedocuments.com/ and end with Something_BunchOfNumbers.PDF.scr. Like, someone might have to learn how regular expressions work or something - that's time taken away from webNonSenses' primary mission of keeping corporate america safe from boobies. I don't know what WebSenses' slogan or tagline is, but given that it only seems to work on static porn sites that have been around for years, maybe they should think about changing it to "WebSense - Tits or GTFO!"

You'd think that if the idiots at Microsoft Security Essentials had found this in the wild six weeks ago that our friends at McAfee/Intel and Norton/Symantec would have rolled out a definition file that immunized against the infection already.

You'd think that the Microsoft Security Essentials idiots would talk to the Microsoft Exchange retards and maybe block the emails at that level. Or maybe they'd block it at the browser level - fit it into the several terabytes or so that counts for an InternetExploder install these days.

Incidentally, for the fun of it I fired up a Windows VM and logged on to the corporate exchange server this morning after reading about this. I clicked on the link and you'll never guessed what stopped the infection - Good old Firefox threw up the warning. Not the AV software, not websense, not UAC - but firefox caught it on the download/check for virus step.

So the product with the least responsibility for the save actually saved the day. The best description of the performance of websense, symantec, mcaffee, etc can only best be described as: "They shit the bed."

Antivirus and security software doesn't work. It never will work. So long as the mindset of security is default permit or blacklisting, this kind of thing will happen again and again. If any good can come of this, it would be the SEC hauling symantec and mcafee and the rest of them off for perpetrating a massive fraud on nearly eveyone.

Re:Lulz @work today

[Datamonstar]

Good for you, asshole. You got to command the fate of a few people based on some non-relevant criteria hawked up in your own tiny-walled head. How about you let the management make the staffing decisions and you stick to browsing Slashdot at work? Don't be surprised if YOU are the one given the axe for 1. thinking you know how to do management's jobs better than they do and 2. for being annoying and obnoxious to your fellow co-workers.