Skip to main content

New Worm Tries To Delete Your Security Software

The McAfee Labs Blog reports that a new worm has hit the Internet, and is spreading rather quickly by emailing the address book of infected users.

Arriving in an email with the subject reading "Here you have" or "Just for you," the actual worm masquerades as a linked PDF. However the file doesn't actually exist, but is instead an executable with the .scr extension. 

Once the worm is installed, it will attempt to download additional malware and delete local security software including the best antivirus software.

According to the blog, the worm can also spread through accessible remote machines, mapped drives, and removable media via Autorun replication. The blog also lists security services that the worm attempts to stop and/or delete, including the Panda Software Controller, McAfee SiteAdvisor Service, Avast! Antivirus, and many more.

"When a user chooses to manually follow the hyperlink, they will be prompted to download or execute the virus," McAfee said. "When run, the virus installs itself to the Windows directory as CSRSS.EXE (not to be confused with the valid CSRSS.EXE file within the Windows System directory)."

The email containing the malicious links reads as follows:

Hello:

This is The Document I told you about, you can find it Here.

(link)

Please check it and reply as soon as possible.

Cheers,

or

Hello:

This is The Free Downland Sex Movies, you can find it Here.

(link)

Enjoy Your Time.

Cheers,

McAfee, Norton, and other security software firms have already updated their definitions file to prevent further damage from the "Here you have" worm. 

Those already infected by the worm should disconnect from the Internet, install the latest version of antivirus software on a removable drive, and disinfect the contaminated system.

For malware protection on other software platforms, check out our lists of the best Mac antivirus software and the best Android antivirus apps.