A worm collectively dubbed by the security industry as the “Here you have worm” has been making its way onto corporate networks over the past 24 hours. The worm arrives via e-mail using the subject line “Here you have” or “Just For you“ along with an executable disguised as a PDF file. It first appeared last month sending spam e-mails from [email protected].
The worm creates the following files: (Note: See the full report in our sandbox -> http://x.maldb.com/?p=44309#more-44309)
/WINDOWS/autorun.inf
/WINDOWS/autorun2.inf
/WINDOWS/csrss.exe
/WINDOWS/ff.exe
/WINDOWS/gc.exe
/WINDOWS/hst.iq
/WINDOWS/ie.exe
/WINDOWS/im.exe
/WINDOWS/op.exe
/WINDOWS/pspv.exe
/WINDOWS/rd.exe
/WINDOWS/re.exe
/WINDOWS/re.iq
/WINDOWS/system/Administrator CV 2010.exe
/WINDOWS/system/updates.exe
/WINDOWS/system32/SendEmail.dll
/WINDOWS/system32/wbem/Logs/wbemcore.lo_
/WINDOWS/system32/wbem/Logs/wbemprox.log
/WINDOWS/tryme1.exe
/WINDOWS/vb.vbs
/autorun.inf
/open.exe
Creates several registry keys to block the execution of anti-malware programs.
Connects to:
members.multimania.co.uk/yahoophoto/tryme.iq
members.multimania.co.uk/yahoophoto/ff.iq
members.multimania.co.uk/yahoophoto/gc.iq
members.multimania.co.uk/yahoophoto/ie.iq
members.multimania.co.uk/yahoophoto/im.iq
members.multimania.co.uk/yahoophoto/m.iq
members.multimania.co.uk/yahoophoto/op.iq
members.multimania.co.uk/yahoophoto/pspv.iq
members.multimania.co.uk/yahoophoto/rd.iq
members.multimania.co.uk/yahoophoto/w.iq
members.multimania.co.uk/yahoophoto/SendEmail.iq
members.multimania.co.uk/yahoophoto/hst.iq
members.multimania.co.uk/yahoophoto/re.iq
members.multimania.co.uk/yahoophoto/tryme.iq
In further research, we have found iraq_resistance to be the known handle for a Libyan hacker/terrorist who we believe to be responsible for at least the first version of the worm discovered in mid-august.
Several underground forum communications have linked “iraq_resistance” to the malware creation as well as the terrorist (electronic jihad) organization “Brigades of Tariq ibn Ziyad.”
Here is a copy of a an iraq_resistance post, which states the groups number one priority loud and clear: “ Required young people to participate in the campaign of the electronic jihad اجهزة امريكية تابعة للجيش الامريكي Group was established as the Brigades of Tariq ibn Ziyad and goal of this group to penetrate U.S. agencies belonging to the U.S. Army ” – Google Translate Link
Besides the terrorist link, several posts have been made in other underground hacking forums, such as xp10.com.
It’s still unclear if this second revision of the worm is linked to “iraq_resistance” or “Brigades of Tariq ibn Ziyad,” as neither person/group has claimed responsibility, but it’s highly likely due to the nature of the group.