I thought the same thing, but then realized that it's not actually an attachment. It's a link in the body of the email to something like:
http: // members . multimania . co . uk / yahoophoto / <filename> . scr that is obfuscated to look like: http: // www . sharedocuments . com / library / <filename> . pdf Source: http://isc.sans.edu/diary.html?storyid=9529 On Fri, Sep 10, 2010 at 9:05 AM, Andrew S. Baker <asbz...@gmail.com> wrote: > Based on the reports of a .SCR file as the attachment, I wonder why these > organizations are even allowing that extension into their networks. > > BTW, doesn't Google own Postini? Is there any reason why they should have > been hit? > > I hope the email admins in question have a documented trail that suggests > that they were trying to implement these well-known (supposedly, anyway) > layers for email security. > > > *ASB *(My XeeSM Profile) <http://XeeSM.com/AndrewBaker> > *Exploiting Technology for Business Advantage...* > * * > On Thu, Sep 9, 2010 at 10:46 PM, Sam Cayze <sam.ca...@rollouts.com> wrote: > >> Just got an email from someone who had their business hit… >> >> >> >> >> http://news.google.com/news/story?client=firefox-a&rls=org.mozilla:en-US:official&channel=s&hl=en&q=here+You+Have+virus+email&um=1&ie=UTF-8&ncl=d3_8Aeb9qdTcV2MsAEIz0YjQdS_OM&ei=bJuJTPykA5SlngeVu7mqDA&sa=X&oi=news_result&ct=more-results&resnum=1&ved=0CB4QqgIwAA >> >> >> >> >> >> >> >> *From:* Erik Goldoff [mailto:egold...@gmail.com] >> *Sent:* Thursday, September 09, 2010 5:45 PM >> *To:* NT System Admin Issues >> *Subject:* OT : Malware alerts from McAfee, anyone experienced these yet >> ? >> >> >> >> Got these two separate alerts from McAfee forwarded to me this evening. >> Anyone had any exposure to these yet ? >> >> Looks like **IF** your end users are trained/informed properly against >> social engineering (using spam as a vector) like this then nothing to worry >> about. >> >> >> >> >> >> ************************ >> >> We have just been made aware of another malicious 0-day attack in the >> wild. The attack is in the form of an email with the SUBJECT: "Here You >> Have" which leads the user to open a malicious .pdf document. >> >> >> >> McAfee will be releasing an extra.dat to detect and clean the known >> components soon, but until then, I recommend to block the email at the email >> gateway identified by the Subject line: "Here you Have" until the extra.dat >> or .dat is fully deployed. For other non-McAfee anti-virus vendors, the same >> methodology should be used until a signature file is available. >> >> >> >> ************************* >> >> McAfee has received confirmation that some customers have received large >> volumes of spam containing a link to malware, a mass-mailing worm identified >> as VBMania. The symptom reported thus far is that the spam volume is >> overwhelming the email infrastructure. >> >> Static URLs in the email link to a .SCR file. McAfee recommends that >> customers filter for the URL on gateway and email servers, and block the >> creation of .SCR files on endpoint systems. >> >> McAfee Trusted Source is actively protecting against this threat. >> Customers with McAfee Trusted Source *Email Reputation* will have the >> emails blocked. Customers with McAfee Trusted Source *Web Reputation*will >> have the URL blocked from click-through. McAfee >> *Artemis* provides protection as well. >> >> For further information, mysupport.mcafee.com and search for KB article >> KB69857. McAfee also will provide further information as gathered. >> >> ************************* >> >> *Erik Goldoff*** >> >> *IT Consultant* >> >> *Systems, Networks, & Security * >> >> ' Security is an ongoing process, not a one time event ! ' >> >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin