Vulners
Lucene search
Here You Have Email Worm Detection
| Source | Link |
|---|---|
| nessus | www.nessus.org/u |
| nessus | www.nessus.org/u |
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(49211);
script_version("1.12");
script_set_attribute(attribute:"plugin_modification_date", value:"2022/02/01");
script_name(english:"Here You Have Email Worm Detection");
script_summary(english:"Looks for files indicative of the Here You Have email worm");
script_set_attribute(attribute:"synopsis", value:
"The remote Windows host has been infected with the Here You Have email
worm.");
script_set_attribute(attribute:"description", value:
"The remote Windows host has files present on the system that indicate
that the 'Here You Have' email worm is present. A user of this host
likely received an email containing a malicious '.scr' (screen saver)
file and infected the host as a result of running this file.
This malware has several features. The most damaging is to
self-propagate and infect systems via email, removable drives, shared
folders and instant messaging. The worm sends copies of itself to
addresses found in Microsoft Outlook address books and Yahoo!
Messenger, enticing the user to click on the attached '.scr' file,
which leads to further propagation of the worm.
The malware also disables a variety of antivirus packages from a
multitude of vendors, turning them off in order to ensure its survival
on a newly infected system. These AV packages remain disabled while
the system is infected, so an AV scan may not detect an actual
infection.
The malware also attempts to recover saved passwords for things such
as sites stored in Internet Explorer and Firefox, wireless network
keys, and more. This stolen data is then returned to the attacker. It
does this by using third-party, non-malicious tools designed for
credential recovery. The way these tools are stored and used by this
malware is non-standard, however, and are an indication of infection
by this malware.");
# http://www.symantec.com/security_response/writeup.jsp?docid=2010-090922-4703-99
script_set_attribute(
attribute:"see_also",
value:"http://www.nessus.org/u?0537683e"
);
# https://web.archive.org/web/20131210115341/http://isc.sans.edu:80/diary/%27Here+You+Have%27+Email+/9529
script_set_attribute(
attribute:"see_also",
value:"http://www.nessus.org/u?7378f54d"
);
script_set_attribute(attribute:"solution", value:
"Update the host's antivirus software, clean the host and scan again to
ensure its removal. If symptoms persist, re-installation of the
infected host is recommended.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H");
script_set_attribute(attribute:"plugin_publication_date", value:"2010/09/13");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"malware", value:"true");
script_set_attribute(attribute:"asset_inventory", value:"True");
script_set_attribute(attribute:"agent", value:"windows");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Backdoors");
script_copyright(english:"This script is Copyright (C) 2010-2022 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("smb_hotfixes.nasl");
script_require_keys("SMB/Registry/Enumerated");
script_require_ports(139, 445);
exit(0);
}
include("smb_func.inc");
include("smb_hotfixes.inc");
include("audit.inc");
if (!get_kb_item("SMB/Registry/Enumerated")) exit(0, "The 'SMB/Registry/Enumerated' KB item is missing.");
# Connect to the appropriate share.
name = kb_smb_name();
port = kb_smb_transport();
login = kb_smb_login();
pass = kb_smb_password();
domain = kb_smb_domain();
if(! smb_session_init()) audit(AUDIT_FN_FAIL, 'smb_session_init');
path = hotfix_get_systemroot();
if (!path) exit(1, "Can't get system root.");
report = "";
share = ereg_replace(pattern:"^([A-Za-z]):.*", replace:"\1$", string:path);
hyhexe = "csrss.exe";
hyhupdate = "updates.exe";
rc = NetUseAdd(login:login, password:pass, domain:domain, share:share);
if (rc != 1)
{
NetUseDel();
exit(1, "Can't connect to "+share+" share.");
}
# Check for the main HYH executable
filename = ereg_replace(pattern:"^[A-Za-z]:(.*)", replace:"\1\"+hyhexe, string:path);
fh = CreateFile(
file:filename,
desired_access:GENERIC_READ,
file_attributes:FILE_ATTRIBUTE_NORMAL,
share_mode:FILE_SHARE_READ,
create_disposition:OPEN_EXISTING
);
if (!isnull(fh))
{
report += '\n' +
'Nessus found the Here You Have executable installed at : ' + path + '\\'+hyhexe;
CloseFile(handle:fh);
}
# Check for malicious HYH backup file for plugin accuracy.
if (!report || report_paranoia < 2)
{
filename = ereg_replace(pattern:"^[A-Za-z]:(.*)", replace:"\1\system\"+hyhupdate, string:path);
fh = CreateFile(
file:filename,
desired_access:GENERIC_READ,
file_attributes:FILE_ATTRIBUTE_NORMAL,
share_mode:FILE_SHARE_READ,
create_disposition:OPEN_EXISTING
);
if (!isnull(fh))
{
report += '\n' +
'Nessus found a malicious Here You Have file at : ' + path + '\\'+hyhupdate;
CloseFile(handle:fh);
}
}
NetUseDel();
# Issue a report if the main binary is detected, and supporting files are present on the system.
if (report)
{
security_report_v4(port:port, extra:report, severity:SECURITY_HOLE);
exit(0);
}
else exit(0, "The Here You Have email worm was not found.");
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Feb 2022 00:00Current
5.5Medium risk
Vulners AI Score5.5