Information Security News mailing list archives
New Virus: Now Anna Loves You
From: InfoSec News <isn () C4I ORG>
Date: Tue, 13 Feb 2001 01:10:58 -0600
http://www.wired.com/news/technology/0,1282,41761,00.html [Amazing, I only got one copy of this virus here today, and you would be suprised how many time I have had to delete the Snow White virus from the ISN mail in an average week. Mind you, a larger version of this virus say 40+K large would probably find more users clicking it on over a 3.5K jpeg of Anna Kournikova. ;) - WK] by Michelle Delio 1:00 p.m. Feb. 12, 2001 PST A new worm is making its way through e-mail boxes, and it seems to be spreading more rapidly than last year's Love Bug, which infected 15 million computers and is regarded as the worst e-mail virus ever. The new e-mail worm, known as "Onthefly" and "Anna Kournikova," sends itself in an e-mail with the subject "Here you have, ;o)" -- and carries a message that reads, "Hi: Check This!" The e-mail contains a Visual Basic scripted attachment that is titled "Anna Kournikova." Kournikova is an international tennis star -- and she's also one of the most downloaded celebrities on the Internet. "She's a very good looking woman. Every guy in the world is going to click on that attachment," said Andrew Antipass, a systems administrator at Tekserve, a security firm. The worm doesn't seem to be doing any harm to infected computers. In other words, it's a lot like Kournikova at a Grand Slam tournament: She arrives with great fanfare, attracts lots of attention, then does nothing. But because of the anticipated huge numbers of e-mails being generated by the virus, the only danger appears to be the possibility that it will overload and crash e-mail servers. When the attachment is clicked, the worm sends itself via e-mail to all addresses found in a user's Outlook address book. The virus also uses encryption to hide itself, to make it harder for antiviral software to detect it. "Early propagation reports indicate that this virus is spreading faster than many of the biggest viruses we saw last year," said Mikko Hypponen of F-Secure. Network Associates antiviral firm McAfee currently ranks the risk from this worm as high, and lists as worm-warning signs the "Presence of the file "c:WINDOWSAnnaKournikova.jpg.vbs" on a user's hard drive. The company also wryly notes that a deluge of complaints about virus-sending e-mails from people whose names are in your Outlook address book would be another good tip-off that you are infected. McAfee said that it has had protection for this worm since last August, and said that its users who had updated their software would be protected. F-secure's products also protect against the worm. The virus activates itself on Jan. 26, 2002, when it opens up the Web page of a Dutch computer shop, which apparently has no connection with the worm. The encryption used by the worm's writer has made it difficult to detect what, if any, damage the worm is intended to do to infected machines. Some experts said that the link to a Danish website is puzzling. "Normally you would expect a worm that reaches out to a website to be attempting to download code from that site. Virus writers have used this technique in the past to bolster their viruses damage in the past," Antipass said . "But that doesn't appear to be the case here. I suspect its an odd attempt at crashing the Danish website when all these computers are supposed to attempt to connect to it next January." Security firm MessageLabs is warning that it has already seen more than 3,000 copies of the virus in the last four hours. Alex Shipp from MessageLabs said that the company "saw the first copy at 13:30(GMT) and now, just four hours later, we've seen more than 2,900 copies come in. We are still analyzing the code - some virus software picks it up - most doesn't." The worm appears to be a variant of Love Bug, which was capable of damaging the contents of computer hard drives. Outlook users should not open the e-mail, but should select it by holding down the shift key and the press delete to permanently remove the e-mail(s) from your system. Microsoft advises Outlook users to download and install the Outlook security patch for Office 2000 or a Office 98. "The patch will effectively protect Outlook users from the Anna Kournikova e-mail worm and others like it," said Alton Kwok, Microsoft program manager. Antipass said that the real danger will probably come in the next two weeks, as worm writers reengineer the code, altering it to make it more vicious. "Keep an eye out for a blitz of wormy mail over the next few weeks," antipass said. "But don't get hysterical. As always, if you don't click on any attachments, you won't have any problems. If people would learn to think before they click, these problems would cease to exist." ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- New Virus: Now Anna Loves You InfoSec News (Feb 12)