New Virus: Now Anna Loves You

[InfoSec News <isn () C4I ORG>]

http://www.wired.com/news/technology/0,1282,41761,00.html

[Amazing, I only got one copy of this virus here today, and you would
be suprised how many time I have had to delete the Snow White virus
from the ISN mail in an average week. Mind you, a larger version of
this virus say 40+K large would probably find more users clicking it
on over a 3.5K jpeg of Anna Kournikova. ;)  - WK]


by Michelle Delio
1:00 p.m. Feb. 12, 2001 PST

A new worm is making its way through e-mail boxes, and it seems to be
spreading more rapidly than last year's Love Bug, which infected 15
million computers and is regarded as the worst e-mail virus ever.

The new e-mail worm, known as "Onthefly" and "Anna Kournikova," sends
itself in an e-mail with the subject "Here you have, ;o)" -- and
carries a message that reads, "Hi: Check This!"

The e-mail contains a Visual Basic scripted attachment that is titled
"Anna Kournikova."

Kournikova is an international tennis star -- and she's also one of
the most downloaded celebrities on the Internet.

"She's a very good looking woman. Every guy in the world is going to
click on that attachment," said Andrew Antipass, a systems
administrator at Tekserve, a security firm.

The worm doesn't seem to be doing any harm to infected computers. In
other words, it's a lot like Kournikova at a Grand Slam tournament:
She arrives with great fanfare, attracts lots of attention, then does
nothing.

But because of the anticipated huge numbers of e-mails being generated
by the virus, the only danger appears to be the possibility that it
will overload and crash e-mail servers.

When the attachment is clicked, the worm sends itself via e-mail to
all addresses found in a user's Outlook address book. The virus also
uses encryption to hide itself, to make it harder for antiviral
software to detect it.

"Early propagation reports indicate that this virus is spreading
faster than many of the biggest viruses we saw last year," said Mikko
Hypponen of F-Secure.

Network Associates antiviral firm McAfee currently ranks the risk from
this worm as high, and lists as worm-warning signs the "Presence of
the file "c:WINDOWSAnnaKournikova.jpg.vbs" on a user's hard drive.

The company also wryly notes that a deluge of complaints about
virus-sending e-mails from people whose names are in your Outlook
address book would be another good tip-off that you are infected.

McAfee said that it has had protection for this worm since last
August, and said that its users who had updated their software would
be protected. F-secure's products also protect against the worm.

The virus activates itself on Jan. 26, 2002, when it opens up the Web
page of a Dutch computer shop, which apparently has no connection with
the worm.

The encryption used by the worm's writer has made it difficult to
detect what, if any, damage the worm is intended to do to infected
machines. Some experts said that the link to a Danish website is
puzzling.

"Normally you would expect a worm that reaches out to a website to be
attempting to download code from that site. Virus writers have used
this technique in the past to bolster their viruses damage in the
past," Antipass said .

"But that doesn't appear to be the case here. I suspect its an odd
attempt at crashing the Danish website when all these computers are
supposed to attempt to connect to it next January."

Security firm MessageLabs is warning that it has already seen more
than 3,000 copies of the virus in the last four hours.

Alex Shipp from MessageLabs said that the company "saw the first copy
at 13:30(GMT) and now, just four hours later, we've seen more than
2,900 copies come in. We are still analyzing the code - some virus
software picks it up - most doesn't."

The worm appears to be a variant of Love Bug, which was capable of
damaging the contents of computer hard drives. Outlook users should
not open the e-mail, but should select it by holding down the shift
key and the press delete to permanently remove the e-mail(s) from your
system.

Microsoft advises Outlook users to download and install the Outlook
security patch for Office 2000 or a Office 98.

"The patch will effectively protect Outlook users from the Anna
Kournikova e-mail worm and others like it," said Alton Kwok, Microsoft
program manager.

Antipass said that the real danger will probably come in the next two
weeks, as worm writers reengineer the code, altering it to make it
more vicious.

"Keep an eye out for a blitz of wormy mail over the next few weeks,"
antipass said. "But don't get hysterical. As always, if you don't
click on any attachments, you won't have any problems. If people would
learn to think before they click, these problems would cease to
exist."

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".