Kournikova worm fast, not too furious

Embarrassment rather than actual damage to systems appeared to be the main penalty as the Anna Kournikova worm swept through the country yesterday.

Embarrassment rather than actual damage to systems appeared to be the main penalty as the Anna Kournikova worm swept through the country yesterday.

IS administrators at many sites appeared to have learned from last year's Love Bug worm and have either applied Microsoft's patch for Outlook Express, which changes the mail client's default from running Visual Basic Script automatically, or simply disabled VBS on PCs where it is not considered necessary.

The worm's lack of a destructive payload meant that the main penalty for firms infected was time lost in cleaning up and contacting those who had been automatically emailed as a result of the infection.

Among local organisations infected yesterday were the Medical Association, the Human Rights Commission the internet marketing firm Brave New World, recruitment agency Lacey Lee, online job advertising company Adcorp and IT distributor Asnet.

Xtra said it started filtering for the virus at 8am and intercepted tens of thousands of copies. Mark Harris of New Zealand Government Online said no government agencies appeared to have suffered infection, but the e-government unit at the State Services Commission was tracking it.

The worm appeared to find more purchase in other countries. Finland-based security vendor F-Secure., which calls the virus "Onthefly," said in a statement that it appearred to be spreading faster than many of last year's bigger viruses, adding that it is currently spreading as fast as the Love Bug, which infected an estimated 15 million computers.

A spokesman for Symantec said the virus hit "about 50" of Symantec's large US customers yesterday

"Most likely, this came from the virus generation kit, which allows 'script kiddies' to create viruses easily," he added. Script kiddies are computer users who usually lack programming skills, but use easy-to-assemble kits and scripts to create viruses.

The worm is a VBS/SST virus written in Visual Basic Script, that masquerades as a picture of tennis star Anna Kournikova. First reports from Europe were of a an email with the subject line "Here you have, ;o)" and an attachment called AnnaKournikova.jpg.vbs. Other subject lines have been reported.

The worm, likely to have originated in the Netherlands, only infects PCs running Microsoft Windows. Like the Love Bug, it mails itself to everyone in an Outlook user's address book. It also launches and directs web browsers to the address http://www.dynabyte.nl when its payload is triggered in January 26.

Next, the virus checks to see if the mass-mailing routine has been executed. If not, the worm emails everyone in the Outlook address book and creates the registry key HKCU/Software/OnTheFly/mailed so that it does not every address again. The worm then remains running and if it is deleted attempts to recreate itself. Due to a bug in the code, the virus instead recreates itself as a zero-byte file.

Symantec New Zealand spokesman Thom Bailey says the company has virus definitions allowing the worm to be detected and repaired available for download from http://www.symantec.com/avcenter/download.html

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags anna kournakova

More about Adcorp AustraliaF-SecureMicrosoftState Services CommissionSymantecXtra

Show Comments