Recently, we have talked a lot about how hackers can use social networks to get users to download malicious software to their computers. The most effective way for viruses to spread, however, is still email and the “Here you have” email worm that is currently making the rounds makes it abundantly clear that most users are still not able to spot and protect themselves from these threads. The email, which has already affected the networks of major organizations like Comcast, NASA and Wells Fargo, comes with the subject line “Here you have” or “Just For you” and includes and appears to include a link to a PDF file.

This file, however, is not a PDF document but a malicious .SCR executable file. Windows uses the .SCR extension for screensavers and this file can only be read by Windows machines. Mac users are – as is so often the case – safe from this threat.
Here is the text that appears in these emails:
Hello:
This is The Document I told you about, you can find it Here. <link to .SCR file>
Please check it and reply as soon as possible.
Cheers,
<name>
As is so often the case, the text is socially engineered to ensure that users – especially in a corporate environment – will be drawn to opening the file immediately. As the worm seems to come from a reliable source and points to what at first glace appears to be a legitimate document (and most users don’t associate PDF files with security threats), a lot of users are prone to opening it without even thinking twice.
What Does “Here You Have” Do?
According to security firm Symantec’s Brian Ewell, here is what the worm does:
- Spread through mapped drives through autorun
- Spread through email by taking contacts from the address book
- Spread through instant messenger
- Disables various security related programs
As it manages to disable the antivirus products of numerous vendors, the virus can then propagate with relative ease. Besides email, the virus also uses open drive shares on a home or office network to spread itself even further. According to Symantec, just opening a folder that contains this file will launch the threat.
The link inside the original emails has now been taken offline, but a number of variants are already taking its place now.
Image credit: Flickr user eviltomthai.