Skip to main content

New Worm Tries To Delete Your Security Software

The McAfee Labs Blog reports that a new worm has hit the Internet, and is spreading rather quickly by emailing the address book of infected users.

Arriving in an email with the subject reading "Here you have" or "Just for you," the actual worm masquerades as a linked PDF. However the file doesn't actually exist, but is instead an executable with the .scr extension. 

Once the worm is installed, it will attempt to download additional malware and delete local security software including the best antivirus software.

According to the blog, the worm can also spread through accessible remote machines, mapped drives, and removable media via Autorun replication. The blog also lists security services that the worm attempts to stop and/or delete, including the Panda Software Controller, McAfee SiteAdvisor Service, Avast! Antivirus, and many more.

"When a user chooses to manually follow the hyperlink, they will be prompted to download or execute the virus," McAfee said. "When run, the virus installs itself to the Windows directory as CSRSS.EXE (not to be confused with the valid CSRSS.EXE file within the Windows System directory)."

The email containing the malicious links reads as follows:

Hello:

This is The Document I told you about, you can find it Here.

(link)

Please check it and reply as soon as possible.

Cheers,

or

Hello:

This is The Free Downland Sex Movies, you can find it Here.

(link)

Enjoy Your Time.

Cheers,

McAfee, Norton, and other security software firms have already updated their definitions file to prevent further damage from the "Here you have" worm. 

Those already infected by the worm should disconnect from the Internet, install the latest version of antivirus software on a removable drive, and disinfect the contaminated system.

For malware protection on other software platforms, check out our lists of the best Mac antivirus software and the best Android antivirus apps.

  • sargentchimera
    People actually follow those links?
    Reply
  • JasonAkkerman
    People still use email systems that don't automatically filter this crap?
    Reply
  • Everyone! You can easily and simply escape this problem by using Ubuntu GNU/Linux (or other distro) instead of windows. Also, with GNU/Linux, not only are you safe from viruses, but you also have access to a universe of free software via just a few mouse clicks. You would not believe what you are missing. There are people out there that can help you get the most from your computers with GNU/Linux. Take control of your computer and enable yourself with technology! Learn more at ubuntu(dot)com and distrowatch(dot)com
    Reply
  • cookoy
    "Those already infected by the worm should disconnect from the Internet, install the latest version of antivirus software on a removable drive..."

    Too late. The worm will delete the just installed antivirus software before the AV can download the latest virus definitions update.
    Reply
  • oxxfatelostxxo
    cookoy. you can make a full copy run on a seperate drive, with updates.... then just connect it to the infected computer and run, or even make a disc from a good machine and run on bootup
    Reply
  • f4nt4sm4
    JasonAkkermanPeople still use email systems that don't automatically filter this crap?
    The problem is not filtering, the problem is why ppl click those links when the email sender is something like urmedsareus@infectmypc.com and its in the spam folder?
    Reply
  • joz
    People still click links offering Free Porn?
    LOL.
    Reply
  • blppt
    FREE PORN???? WHERE? SEND ME A LINK!!!!
    Reply
  • Here is more Detailed information on this SPAM Vector.
    (reply #345 of SPAM frauds, fakes, and other MALWARE deliveries... Thread)

    Reply
  • frozenlead
    Everyone! You can easily and simply escape this problem by not being stupid and not clicking every link you see!
    Reply