Thursday, September 09, 2010

'Here You Have' -- the Delightful New Virus Brought to You by Adobe Reader and Microsoft Outlook #hereyouhave #worm #outlookisfun

Twitter is exploding with reports of another delightful computer virus that appears to have been caused by: (a) a zero-day Adobe Reader bug (update: maybe not, see below); and (b) the fact that Microsoft Outlook puts little to no security around the local user's address book. The combination has made for a fairly brutal and rapid spread of the #hereyouhave virus.

Uhmm, first of all: don't click on any email with the subject heading Here you have.

And if you did get hit, here are a few recommendations:

• Temporarily disable your network connection (pull your blue wire or disable your wireless Internet)

• Using the Control Panel, change your file associations to remove the Adobe reader from an automatic assocation (see illustration for Windows XP)

• Check your Outlook outbox -- that's where messages that haven't been sent collect. You may see hundreds or thousands. Delete all of the suspect messages.

• Bring up Task Manager and check to see whether AcroRd32 (the Adobe Reader) is running. If it is, kill it.

• Once you're confident that the virus has stopped trying to send messages (by checking your Outbox), reconnect your network connection (or, better yet, use an uninfected machine) and check your anti-virus vendor to determine whether an update is available -- force a signature update once one is ready

The only positive from this delightful infection is the fact that it so openly identifies those folks who were socially engineered into clicking on this ill-disguised link. Maybe that'll learn 'em.


Update: Commenter says that it is an '.SCR' file disguised as a '.PDF'. In either case--don't click it! If the Adobe Reader is not involved, that would be good news (less moving parts involved).

Update II: Word on the street is that the domain the virus tries to access in order to run the script is http://members.multimania.co.uk (no link, intentionally). Your IT administrator would be well-served to block the link or you personally could edit your HOSTS file.

Update III: Unconfirmed reports that Schwab, Bank of America, JPM Chase, FedEx, Vanderbilt and many other organizations were hit.

Update IV: ABC News is first to get a major story up on the virus. They report that NASA, Comcast, AIG, Disney, Florida Department of Transportation and Wells Fargo were hit. They note that, "Adobe systems on Tuesday advised computer security experts that there were vulnerabilities in the Adobe reader software, noting that hackers were looking to actively exploit a recently detected vulnerability. This could explain why the e-mail was being sent in a .pdf format."

8 comments:

The Duker said...

It is not actually a .pdf file, it is a .scr file disguised as a PDF. If you hover over the link you will see the true link of .pdf.scr

Anonymous said...

wow talk about misinformation - look at he file before bashing adobe

Anonymous said...

Seriously, change your link bait title...

directorblue said...

@anon 4:55p

Dude, I don't have the virus, so I'm getting the info through Twitter and GTalk.

Anonymous said...

Good excuse - Just like getting all the other info through Limbaugh, Beck and Faux news

directorblue said...

Excellent. My $1,500 Fox News challenge still stands:

Here.

Until then, please refrain from 'Faux News' and other childish labels.

I know. You don't like facts, logic, history and reason.

You like feelings.

Here You Have Virus E-Mail - How to Avoid Here You Have Virus E-Mail. said...

Here You Have Virus E-Mail - How to Avoid Here You Have Virus E-Mail.

Anonymous said...

I have had it with Adobe Acrobat due to previous infections that used it to get on one of my computers. These days I use Foxit Reader to look at PDF's