X
Tech
Home Tech Security

Virus update: From Russia with love

Variants of a virus capitalising on the popularity of 19-year-old Russian tennis player Anna Kournikova failed to add momentum to the worm's spread Monday
Written by Robert Lemos, Contributor

"I think it is under control at this point," said Vincent Gullotto, director of security software maker Network Associates' antivirus emergency response team. "It had the potential to become Love Letter-ish, but because we and others had protection, it failed to spread too quickly."

Network Associates had seen "a few hundred" submissions of the virus from clients, but by Monday afternoon, the rate had dropped off.

Also known as VBS/SST, VBS_Kalamar, and VBS/OnTheFly, the virus initially posed as an attachment -- AnnaKournikova.jpg.vbs -- included in an e-mail with one of several similar subject lines.

The virus uses Visual Basic to infect Windows systems and then on systems with Outlook it mails itself out to the entire address book. Its ability to mail itself out to a large number of Internet users classifies the virus as a worm.

"It's going to be more widespread than Melissa but less than the Love Bug," said Vincent Weafer, director of the Symantec AntiVirus Research Centre.

Melissa kicked off a new age of fast-spreading, hard-hitting worms in March 1999, when the macro virus flooded email systems by using commands built into Microsoft Word to control email. David L Smith, who pleaded guilty to authoring and releasing the virus, is currently awaiting sentencing.

Last May, a Visual Basic script masquerading as a love letter spread quickly after it was released from the Philippines. A 22-year-old computer-school dropout, Onel de Guzman, has since been charged for crimes related to the release of the virus. Due to the lack of laws regarding computer crime in the Philippines, de Guzman is facing charges of credit-card fraud.

Like Melissa, the Anna Kournikova virus does not damage the systems it has infected, said SARC's Weafer.

However, the author seems to be creating and releasing new variants, he said. The variants of the email message appeared Monday afternoon and included e-mail messages with slightly different subject lines and attachments that had abbreviated file names.

By late Monday, antivirus experts had seen the subject lines "Here you are ;-)", "Here you have ;o)" and "Here you go ;-)."

The variants are thought to have been created by a point-and-click program known as the Vbs Worms Generator and authored by Kalamar, a member of the Argentine virus underground, said experts.

While the changes may have fooled some people into opening the attachment that contained the virus, PCs running updated antivirus software would not be fazed, said Weafer.

Initial reports indicated that the virus' promise of a picture of the teenage tennis heartthrob had lured a large number of people into opening the fake image.

"Compared to the Love Bug, it's spreading twice as fast," Alex Shipp, antivirus technologist with UK-based email service MessageLabs, said Monday morning.

In the first five hours after MessageLabs detected the infection, its users had received almost 2,900 copies of the infected email sent from more than 290 different domains.

Antivirus software maker Trend Micro said the virus had hit many different types of companies. "We have heard from a government agency that has seen 200 hits per hour," spokeswoman Susan Orbuch said. "Others include a banking institution, a major networking company, a beverage company and an insurance company. You are not just seeing it in one sector."

Trend Micro's software detected the virus originally as VBS_KALAMAR, and believe that Kalamar is the author of the virus creation kit.

As of 11.15am Monday, major antivirus software makers had either posted patches to detect the virus or already detected it with a latest version.

Running and updating anti-virus software is a complete pain, which is why most users don't bother. Guy Kewney says we know that anybody with a brick heavy enough to break our windows could get into our houses; and that it would cost a fortune to make the house significantly more secure. So we take refuge in statistics -- it's not likely to happen, really; so we'll hope it doesn't. Go to AnchorDesk UK for the news comment.

Having trouble with Anna? Get your fix here

Take me to the Virus Workshop

Have your say instantly, and see what others have said. Click on the TalkBack button and go to the ZDNet News forum.

Let the editors know what you think in the Mailroom. And read what others have said.

Editorial standards
Show Comments

Related

ipad-pro-2024

Four reasons to buy the Apple's 2024 iPad Pro (especially if you own an older model)

iPad Mini screen with page of apps

I've used every iPad since the original. Here's my buying advice for the new 2024 models

cover

5 ways to make your Echo Show less annoying