"Here You Have" Email Worm Security Bulletin

Unanswered Question
Sep 10th, 2010

Please see attached Cisco Security Bulletin about the recent Email Worm "Here You Have"

The Bulletin includes information about the Email Worm, Cisco Protection and FAQ's.

<You can find the snippet of the bulletin below>

Background Information:

On  September 9th, an email worm with subject line "Here You Have" began  circulating, with widespread media attention soon following. In  actuality, the email worm contained a significant flaw that ensured an  extremely short 'time to life'. The actual email worm binary was sent as  a link contained in the body of the email.

What are the characteristics of the email message?

Email characteristics vary, although the subject line (Here You Have) is constant. Examples
of the email message text include:


This is The Document I told you about,you can find it Here.

<link to worm binary>

Please check it and reply as soon as possible.


‐‐ and ‐‐


This is The Free Dowload Sex Movies,you can find it Here.

<link to worm binary>

Enjoy Your Time.


Does Cisco detect and block this attack?


The Cisco Web Security Solutions detects and blocks this worm. First encounter/block was on 09‐sep‐10 15:59:20 GMT.

The Cisco Email Security Solutions detects and blocks the email spam, as of 09‐Sep‐10 17:51:00 GMT.


Cisco  continues to provide proactive protection from Email and Web‐based  threats,including the latest “Here You Have” Email Worm, in all of its  Email and Web Security products and services.

Cisco IronPort Email Security Appliance (ESA): Our Email Security Appliances,running Cisco IronPort Anti‐Spam, blocked  this threat over email within minutes of the worm campaigns’ start,  providing excellent protection from all variations of this worm.

Cisco IronPort Cloud Email Security Services: Similarly Cisco IronPort Anti‐Spam also protected our Cloud Email Security customers within minutes of the worm’s outbreak.

Cisco ScanSafe Web Security Products: ScanSafe customers are provided protection through Outbreak  Intelligence using content analysis techniques that block this threat  based on the payload as well as the redirections involved in reaching  that payload.

Cisco IronPort Web Security Appliance (WSA): Web security can be effective in stopping the propagation and operation  of HYH Email Worm. The S‐Series Secure Web Gateway, running Web  Reputation Filters, has shown to be extremely effective in mitigating  risk on the Web vector by blocking the URL associated with the HYH Email  Worm. Customers with Web Reputation Filters are receiving this  protection.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)


This Discussion

Related Content