‘Here you have’ virus strikes email inboxes

Graham Cluley
Graham Cluley
@[email protected]

If you were reading the SophosLabs blog overnight you’ll have seen Boris Lau’s report of a mass-mailing worm that has been reported widely.

Email messages with the subject line “Here you have” are pretending to point to documents or free sex movies, but are really designed to infect your PC.

What may be fooling some people is that these emails appear to come from your colleagues, friends or family members, as they have had their own computers infected by the malware (which then sent it on to you).

A typical message reads:

Sign up to our free newsletter.
Security news, advice, and tips.


This is The Document I told you about,you can find it Here.

http://<REMOVED URL>/PDF_Document21.025542010.pdf

Please check it and reply as soon as possible.


Here’s another example:

Here you have malicious email


This is The Free Dowload Sex Movies,you can find it Here.
http://<REMOVED URL>/library/SEX21.025542010.wmv

Enjoy Your Time.


(Note in that example, the hackers spelt “Download” incorrectly)

However, the link doesn’t really go to a PDF file or a WMV movie, but to a SCR executable file instead containing malicious code. When the code is run on your computer it tries to turn off your security software, and attempts to send one of the above messages to contacts in your address book – rather in the style of the old-school email-aware viruses we often saw in the early 2000s which would use the lure of pictures of Anna Kournikova or a love letter.

Furthermore, the worm can also spread via network shares.

Sophos detects the malware as W32/Autorun-BHO. In more good news, it appears that the file pointed to by the emails is no longer available.

The intention of the attack appears to be to steal information. The malware downloads components and other tools which extract passwords from browsers (Firefox, Chrome, Internet Explorer, Opera), various email clients, and other applications. Clearly sensitive information which you don’t want falling into the wrong hands.

According to media reports, the virus has been encountered in large firms including Google, Coca Cola, NASA and Comcast.

That doesn’t surprise me, as this is something of a return to the malware attacks of yesteryear – where hackers didn’t care whose computers they hit, they just wanted to infect as many as possible. Worms like this don’t discriminate, deciding their next victim purely by scooping up a list of its next targets from the user’s email address book.

Which also means that if you’re in a lot of people’s address books, you might receive a fair amount of malware.

For instance, ABC/Disney employee Sam Champion, who is the weatherman on “Good Morning America” tweeted that the virus was filling up his email account..

Tweet from Sam Champion

As always, ensure that your anti-virus software is kept properly up-to-date and don’t go clicking on suspicious links – even if they do appear to have been sent to you by a friend.

PS. If you think the subject line “Here you have” rings a bell, then you’ve been following computer security for a fair old time. It was also used by the VBS/SST-A virus (better known as Anna Kournikova) back in 2001.

Screenshot of Anna Kournikova virus

Mass-mailing malware like Kournikova hit a lot of people in the past, let’s hope that more people have their wits about them this time and don’t get tricked by this latest attack.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.