Detections
Analytics
Here You Have Email Worm Detection
critical Nessus Plugin ID 49211
Language:
Synopsis
The remote Windows host has been infected with the Here You Have email worm.Description
The remote Windows host has files present on the system that indicate that the 'Here You Have' email worm is present. A user of this host likely received an email containing a malicious '.scr' (screen saver) file and infected the host as a result of running this file.This malware has several features. The most damaging is to self-propagate and infect systems via email, removable drives, shared folders and instant messaging. The worm sends copies of itself to addresses found in Microsoft Outlook address books and Yahoo! Messenger, enticing the user to click on the attached '.scr' file, which leads to further propagation of the worm.
The malware also disables a variety of antivirus packages from a multitude of vendors, turning them off in order to ensure its survival on a newly infected system. These AV packages remain disabled while the system is infected, so an AV scan may not detect an actual infection.
The malware also attempts to recover saved passwords for things such as sites stored in Internet Explorer and Firefox, wireless network keys, and more. This stolen data is then returned to the attacker. It does this by using third-party, non-malicious tools designed for credential recovery. The way these tools are stored and used by this malware is non-standard, however, and are an indication of infection by this malware.
Solution
Update the host's antivirus software, clean the host and scan again to ensure its removal. If symptoms persist, re-installation of the infected host is recommended.See Also
Plugin Details
Severity: Critical
ID: 49211
File Name: hyh_detect.nasl
Version: 1.12
Type: local
Agent: windows
Family: Backdoors
Published: 9/13/2010
Updated: 2/1/2022
Asset Inventory: true
Supported Sensors: Nessus Agent, Nessus
Vulnerability Information
Required KB Items: SMB/Registry/Enumerated