“Here you have” – but we call it W32/VB.CRJ since we have an Antivirus division now

Every few months a new piece of cybernasty is unleashed on the world with such effectiveness that even the mainstream press covers the story. This time the darling of the headlines is the “here you have” virus. Well the correct name should really be the “email with ‘here you have’ subject and an included link that led to a malicious scr” virus. But last week Commtouch closed its acquisition of the Command antivirus division of Authentium and so we will proudly use the Commtouch name: “W32/VB.CRJ”. 

Note the link in the body of the email vs. the actual destination link (shown after mouse-over on the bottom of the image). As you can see the destination file is not a pdf but rather a script. The scr attempts to deactivate most anti-virus packages (it includes a very comprehensive list) and uses the infected user’s Outlook to replicate the message. This is most problematic as new recipients get the emails from a known trusted source. In addition the scr downloads a number of additional tools. The functionality of these appears to include checking in with a controller as well as password theft.

So how did we do? (it is our blog so every once in a while we’re entitled to do this sort of stuff..)

  • Commtouch Anti-Spam blocked the emails
  • GlobalView URL Filtering classified the destination URLs as malware and spam (allowing partner endpoints to block these)
  • And, proud new addition to the Commtouch family, Command Antivirus detected the malware based on Heuristics. Our Command colleagues also inform us that signatures of this malware date back to 2009 (W32/VBTrojan.17E) and has been modified about 90 times since then

Here we have W32/VB.CRJ !