Original URL: http://www.theregister.co.uk/2001/02/13/anna_kournikova_bug_drops_harmlessly/

Anna Kournikova bug drops harmlessly onto the Net

'Potentially devastating': you cannot be serious!

By John Leyden

Posted in Security, 13th February 2001 18:20 GMT

Much like the tennis star herself, the Anna Kournikova worm created a lot of interest and attention when it hit the Net - but lacks anything like a powerful smash.

As we previously reported, an Internet-based email worm that masquerades as a picture of tennis star Anna Kournikova is spreading fast after been unleashed on the Internet yesterday. MessageLabs, which scans its users' email for malicious code has intercepted 20,000 copies of the worm since yesterday.

However VBS/SST or the Anna Kournikova worm, as it has been called, has failed to create anything like the trail of destruction caused by the similar Love Bug virus.

Security experts said part of the reason for this is that network administrators have closed the security loopholes that allowed Visual Basic scripting worms, like the Love Bug and VBS/SST, to overwhelm email servers, though many think security is as lax as ever.

Far more important in limiting the damage caused by VBS/SST is that it carries a relatively weak payload.

The worm comes in an email with the subject line "Here you have, ;o)" and an attachment called AnnaKournikova.jpg.vbs. The virus is activated by the user clicking on the attachment, after which it emails itself to everyone in a user's Microsoft Outlook address books.

McAfee, a division of security firm Network Associates, reports that the virus has been found in 50 enterprise size companies including Fortune 500 firms, however we could only confirm that relatively small firms like travelfusion, religious organisation New Directions and gambling site flutter.com had been affected by the bug.

Moshe Rafiah, travelfusion's chief executive, told The Register that he was the only person at the online travel etailer to be caught out by the worm, and that he was able to disinfect his machine by downloading the latest virus definitions from Symantec.

Paul Rogers, a network security analyst at MIS Corporate Defence, said a lot of users learnt lessons from the Love Bug and put restrictions on Visual Basic scripting that prevented the spread of such viruses.

"This will only catch out companies that haven't got it right," said Rogers.

Andre Post, a senior researcher at Symantec, said that the main effects of the virus have been seen in the US, where "a few companies have shut down their web servers as a precautionary measure".

The spreading routine of VBS/SST is different from that used by the Love Bug, said Post, who added the bug was created using a worm creation tool, called "[K]Alamar's Vbs Worms Creator", from a virus exchange site.

Post added the toolkit is easy to use and requires no particular skill, and the fact that the virus attempts to direct a victim's web browser to a Dutch Web site, called dynabyte.nl, on January 26 - mimics earlier self-replicating viruses produced using the kit. ®

Infection Removal

In order to remove the worm from a system, Russian anti-virus experts Kaspersky Labs has issued the following instructions:
1. Delete the "AnnaKournikova.jpg.vbs" file from the Windows system folder;
2. Delete the following Windows system registry keys:
HKEY_CURRENT_USER\Software\OnTheFly
HKEY_CURRENT_USER\Software\OnTheFly\mailed

Outlook Express users can stop viruses like Love Bug and the Anna Kournikova worm dead in their tracks with a few simple steps:
1. Go to "Tools", then "Options".
2. Click the "Security" tab.
3. Select "Restricted Zone" and click OK.

Related Story

Anna Kournikova virus spreading like wildfire