Kournikova Virus Writer Speaks
Feb. 13, 2001 -- The "Anna Kournikova" computer virus wasn't intended to hurt anyone, a person claiming to be the author says in a public letter on his personal Web site.
The virus, the fastest-spreading since last year's "Love Bug," shut down e-mail servers at major firms around the world Monday and today. Disguised as an e-mail attachment purporting to be a picture of Russian tennis starlet Anna Kournikova, it mass-mailed itself out to everyone in a victim's address book when double-clicked.
The virus' spread is now tapering off as more firms install protection against it, experts said. The virus doesn't destroy files, but it can clog up and shut down mail servers. For e-mail-dependent companies like financial and media firms, that can mean major losses in productivity.
"I never wanted to harm the people you opened the attachment. But after all: it's their own fault they got infected with the AnnaKournikova virus, OnTheFly virus or watever they call it," the alleged virus writer, who calls himself "OnTheFly," says on his site in a message dotted with spelling and other errors.
Antiviral experts have been repeating a similar message: People should practice safe computing and not click on unsolicited e-mail attachments, even if they look enticing or come from friends.
Dave Kroll, president of Finjan Software, a San Jose, Calif.-based antivirus firm, also places some blame on antiviral companies. He said some antivirus software is too "reactive," requiring users to download continual updates to protect against the newest threats.
"You can't be reactive any more; you need something more proactive," he said.
Information technology managers should also be a bit more proactive, said Graham Cluley of the antivirus firm Sophos. A few simple steps taken after the Love Bug fiasco, such as blocking certain types of attachments, would have prevented this virus attack.
"Are you going to wait for the Billie Jean King virus?" Cluley said.
Not a Programmer
One of the scarier aspects of this virus attack is that the writer is apparently not a programmer. He put the virus together from a point-and-click, "viruses for dummies" kit released by an Argentine virus writer called [K]Alamar.
"I have made this virus with a Visual Basic Worm Generator, written by [K]Alamar. K. is NOT involved with this worm! I have been using this programm because I don't know any programming languages," OnTheFly writes on his site. He posted his message in English, although he often writes in Dutch on the site.
Postings to bulletin boards from Feb. 2 reveal OnTheFly, who is believed to be a teenager, asking very basic virus-writing questions. But he's a frequent contributor to hacking and virus bulletin boards.
Virus construction kits are popular with unskilled kids who want to be seen as tough, Cluley said.
"More and more people are getting into computers, but the people who are getting into computers aren't necessarily as technical as the guys were five or 10 years ago ... [but] a 'cool' virus writer would never touch a construction kit," he said.
Glamour and Fame?
Kids like OnTheFly are just trying to get glamour and fame through their criminal acts, said David Perry, global director of education at antivirus firm Trend Micro.
"Look at the stance of these kids — they call themselves 'Mr. Dangerous' and 'Kid Hollywood.' What they're looking at is something on the order of rock 'n' roll credibility to be added to their virus writing," he said.
The FBI is "assessing the issue" of prosecuting OnTheFly, spokeswoman Debbie Weierman said. Typically, the FBI works with foreign law enforcement officials in cases where an offender is overseas, she said. The Dutch government did not return calls from ABCNEWS.com about possible prosecution of OnTheFly.
The real programmer behind the virus, [K]Alamar, is unlikely to be prosecuted. Argentina has no laws against virus writing, so especially if Alamar didn't release the virus himself, he's off the hook, Argentine government officials said.
Alamar's motivation is probably different from OnTheFly's, Perry said. Alamar likely wants to show off his programming skills and become a leader in the virus community, not just wreak havoc.
Alamar is 17, according to his profile on the chat system ICQ, and on his Web site he claims to have written five original viruses. All are Microsoft Word macro or VBS viruses. Alamar also hasn't released his viruses into the wild before, said Raemund Perry, vice president for Europe of Trend Micro. But he's made nine versions of his construction kit publicly available.
"I think [K]Alamar is selling switchblades to wanna-be juvenile delinquents," Perry said.
Here You Are
The virus, also called OnTheFly, SST, Kalamar_A or Lee_O, arrives in an e-mail titled "Here you have," "Here you are," or "Here you go," usually from a friend. Inside there's the phrase "Hi: Check This!" and an attachment of "AnnaKournikova.jpg.vbs" or something similar. (Sometimes the ".vbs" doesn't appear.) Unsuspecting recipients may be fooled into thinking they are about to click on a photo of Kournikova, the blonde tennis star.
"Just because I am a big fan of her. She deserves some attention, doesn't she??," OnTheFly says on his site.
Antivirus experts said that Kournikova's personal appeal is what made this virus particularly quick to spread. There have been plenty of similar e-mail worms in the past few months, but none have spread as fast or as far.
"It's an old tired virus method with a pretty face and nice legs on it," said Steve Gottwals of antivirus firm F-Secure.
The attachment's snakelike icon means it's a Visual Basic script, or VBS — in other words, a computer program, not a graphics file. The Love Bug and NewLove came in the same form. Like those viruses, this one only affects Microsoft Windows users with the Outlook or GroupWise e-mail programs.
Once it sends a batch of messages out to everyone in a victim's address book, it lies dormant until the next Jan. 26, when it sends the victim's Web browser to www.dynabyte.nl, the site of a Dutch computer store.
"A couple of days ago I bought something in that Dutch Ccomputershop and at the moment of writing that virus I had the receipt in front of me, on my desk. I never meant to harm the site," OnTheFly writes.
Most antivirus companies have cures for the virus now. The easiest solution: Don't click on any attachments that claim to be pictures of Kournikova or end with ".vbs," and you won't get infected.