The Here You Have worm, also known as Visal.B, has been spreading through network shares and email (more details on Microsoft’s Malware Protection Center web site). When spreading through email, the worm sends itself to your contacts with the following strings in the Subject field and message body:

  • Subject: Here you have

    Body:
    Hello:

    This is The Document I told you about,you can find it Here.
    http://www.sharedocuments.com/library/PDF_Document21.025542010.pdf

    Please check it and reply as soon as possible.

    Cheers,

  • Subject: Just for you

    Body:
    Hello:

    This is The Document I told you about,you can find it Here.
    http://www.sharedocuments.com/library/PDF_Document21.025542010.pdf

    Please check it and reply as soon as possible.

    Cheers,

  • Subject: hi

    Body:
    Hello:

    This is The Free Dowload Sex Movies,you can find it Here.
    http://www.sharemovies.com/library/SEX21.025542010.wmv

    Enjoy Your Time.

    Cheers,

In Exchange Server 2010/2007, you can use Transport Rules to quickly and easily prevent such malware from spreading by email. Transport Rule Predicates (or Conditions in the Transport Rule wizard) and Actions are the building blocks of a transport rule. You can use rule conditions to inspect the content of different parts of a message such as message headers, sender/recipients, message subject, and message body. In Exchange 2010, the Transport Rules agent can also inspect attachment content.

A list of predicates and actions in Transport Rule Predicates and Transport Rule Actions.

Creating the Transport Rule

--> The rest is on Exchangepedia Blog :

http://exchangepedia.com/2010/09/using-transport-rules-to-protect-your-organization-from-the-here-you-have-worm.html