IT@TT - Online

Virus masquerades as pix of Russian tennis sensation

Virus coders sure know how to take advantage of our desire for cute babes. It also shows the slant of the computer user base; men mostly. And horny, Desperate Dans at that. The latest email worm sports a cutesy tag line and content because the coder knows that most users will willingly open a picture of a teenage sex bomb. But download or view this particular picture and you are in deep trouble. And not of the wife or girlfriend variety.

The new Internet worm is generically known as VBS/STS@MM (aka Anna Kournikova, AnnaKournikova, VBS.VBSWG.J, VBS/Anna, VBS/OnTheFly, VBS/SST, VBS/SST-A, VBS/SST.A, VBS/VBSWG.J, VBS_Kalamar.a). Developed in Visual Basic script (VBS), it is similar to 2000's Love bug in that it targets Outlook users.

The virus attachment is named ANNAKOURNIKOVA.JPG.VBS. With such a long filename, you usually see just the first 5-6 character. The email has "Hi: Check This!" , "Here you have,", "Here you go" or "Here you are" all followed by a smiley face. For those not in the loop Anna Kournikova is a Russian teen tennis sensation; if only for her looks not talent.

As you save her "image" you are actually helping the worm execute. The worm copies itself into the Windows directory. It then proceeds, Melissa-style, to send a copy of itself to every address in the Windows Address Book. And if that's not all, on January 26 next year (if not treated), the worm will launch your default browser and open a Dutch site: http://www.dynabyte.nl.

The worm creates registry keys "HKEY_USERS\.DEFAULT\Software\OnTheFly" and "HKEY_USERS\.DEFAULT\Software\OnTheFly\mailed=1" (for yes). And you know that you too have been infected if the file ANNAKOURNIKOVA.JPG.VBS is present, as is the two Registry keys mentioned and you have contacts complaining that you've sent them a virus!

The worm is spreading like wildfire in the US and Europe. There are still no reports of Indian infections. But expect a sizable number by the weekend. My take is that most computer users seem to lack in love. Which explains why Melissa (ILoveYou) spread so fast. Now with Valentine's day just around the corner, pictures of a "sex-bomb" in the mail seem to have users salivating again.

Unfortunately for the vast majority of networks, Microsoft Outlook or Outlook Express is one of the most widely-used email clients. Which the worm targets. However Mac and other email users can spread the worm manually by forwarding the email.

If you have downloaded and installed a security update released by Microsoft in the wake of the Love bug, your email client will issue a warning whenever an external program tries to access your Windows Address Book. However, from experience this warning doesn't work when the program is an Outlook variant!

So don't wait; update your anti-virus program immediately (I did). And also don't open any attachments without saving the file first to a folder and then checking the file extension.

Govind Menon
[email protected]

Top

Other Articles