Here You Have Email Worm Detection

Critical Nessus Plugin ID 49211


The remote Windows host has been infected with the Here You Have email worm.


The remote Windows host has files present on the system that indicate that the 'Here You Have' email worm is present. A user of this host likely received an email containing a malicious '.scr' (screen saver) file and infected the host as a result of running this file.

This malware has several features. The most damaging is to self-propagate and infect systems via email, removable drives, shared folders and instant messaging. The worm sends copies of itself to addresses found in Microsoft Outlook address books and Yahoo! Messenger, enticing the user to click on the attached '.scr' file, which leads to further propagation of the worm.

The malware also disables a variety of antivirus packages from a multitude of vendors, turning them off in order to ensure its survival on a newly infected system. These AV packages remain disabled while the system is infected, so an AV scan may not detect an actual infection.

The malware also attempts to recover saved passwords for things such as sites stored in Internet Explorer and Firefox, wireless network keys, and more. This stolen data is then returned to the attacker. It does this by using third-party, non-malicious tools designed for credential recovery. The way these tools are stored and used by this malware is non-standard, however, and are an indication of infection by this malware.


Update the host's antivirus software, clean the host and scan again to ensure its removal. If symptoms persist, re-installation of the infected host is recommended.

See Also

Plugin Details

Severity: Critical

ID: 49211

File Name: hyh_detect.nasl

Version: $Revision: 1.9 $

Type: local

Family: Backdoors

Published: 2010/09/13

Modified: 2017/05/16

Dependencies: 13855

Risk Information

Risk Factor: Critical


Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Vulnerability Information

Required KB Items: SMB/Registry/Enumerated