Defending Against “Here You Have” Or Visal.B Worm…

 

“Here you have” or Win32/Visal.B is a worm that spreads to other domain computers on a network through drives C – H and via email. When spreading through email, the message contains a link to the worm hosted on a remote server. The file icon resembles a PDF document to maximize the chance of execution. The worm attempts to download arbitrary files and create a full-access share on the local computer as "updates".

UPDATE: Telegraph reports that the virus is spreading fast, read here

The worm gathers email addresses from contacts stored in Outlook. The email may have in one of the following formats and sent to others with an obfuscated link that points to a copy of the worm hosted on a remote site.

Example 1

Subject: Here you have

Body:
Hello:

This is The Document I told you about,you can find it Here.
http://www.sharedocuments.com/library/PDF_Document21.025542010.pdf

Please check it and reply as soon as possible.

Cheers,

Example 2

Subject: Just for you

Body: 
Hello:

This is The Document I told you about,you can find it Here.
http://www.sharedocuments.com/library/PDF_Document21.025542010.pdf

Please check it and reply as soon as possible.

Cheers,

The worm may also search for email addresses stored in the contact list for the Internet chat application Yahoo! Messenger and send emails in the following format:

Example 3

Subject: hi

Body:
Hello:

This is The Free Dowload Sex Movies,you can find it Here.
http://www.sharemovies.com/library/SEX21.025542010.wmv

Enjoy Your Time.

Cheers,

Note: The link does not really point to a PDF document or Windows media movie file. The link directs users to download a copy of the worm from a user account on the domain "members.multimania.co.uk" as "PDF_Document21_025542010_pdf.scr".

Full info about this worm here

As an exchange admin, you can defend the spread of this worm through emails using transport rules. All we need to do is to create a transport rule which blocks the subject & urls given above. I will give the screenshots for the transport rule as they are self explanatory.

Transport rule to depend here you have worm 1

Transport rule to depend here you have worm 2

Specify words

Transport rule to depend here you have worm 3

Transport rule to depend here you have worm 4

Below screenshot is for Exchange 2007. Select the action to “silently drop the message” in a 2007 transport rule. If you have a 2007 & 2010 mixed environment, transport rule has to be created twice, once on 2007 & then on 2010.

Transport rule to depend here you have worm 2007

Make sure your antispam engines are up-to-date as well, if you are using Forefront Protection for Exchange.

Your Thoughts?