- Updated 7:10 PM PDT -

McAfee Labs is currently investigating a new threat commonly referred to as the "Here you have" virus due to the email subject line the worm uses during propagation.  It looks like multiple variants may be spreading and may take some time to work through them all to paint a clearer picture.  Here's what we know thus far.

Infectious email messages may have the following properties:

Subject: Here you have or Just For you
Body:

Hello:

This is The Document I told you about,you can find it Here.
http://www.sharedocuments.com/library/PDF_Document21.025542010.pdf

Please check it and reply as soon as possible.

Cheers,

or

Hello:

This is The Free Dowload Sex Movies,you can find it Here.
http://www.sharemovies.com/library/SEX21.025542010.wmv

Enjoy Your Time.

Cheers,

The URL does not actually lead to a PDF document, but rather an executable in disguise, such as PDF_Document21_025542010_pdf.scr served from a different domain, such as members.multimania.co.uk this URL is no longer active and the email propagation vector is believed to be crippled at this time (though already infected hosts may continue to spread email messages).

Here is some additional information on the threat behavior:
Generic.dx!tsp!2BDE56D8FB2D -http://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=275352
W32/VBMania@MM - http://vil.nai.com/vil/content/v_275435.htm

When a user chooses to manually follow the hyperlink, they will be prompted to download or execute the virus.  When run, the virus installs itself to the Windows directory as CSRSS.EXE (not to be confused with the valid CSRSS.EXE file within the Windows System directory).   Once infected the worm attempts to send the aforementioned message to email address book recipients.  It can also spread through accessible remote machines, mapped drives, and removable media via Autorun replication.