Kournikova Virus Continues to Spread

By
<A HREF="mailto:sascha.i.segan@abcnews.com">Sascha Segan</A>
January 7, 2006, 7:41 AM ET
4 min read

Feb. 13, 2001 -- The "Anna Kournikova" virus is picking up speed this morning, spreading to banks, brokerage houses and media organizations across Europe, according to virus experts. And another assault is expected on computers in the United States.

The e-mail-based worm is the biggest worldwide computer virus since last year's Love Bug, says Graham Cluley of the British antivirus firm Sophos. Victims receive an e-mail containing an attachment that seems to be a picture of the winsome Russian tennis player. If they double-click on the attachment, the virus sends itself to everyone in the victim's Microsoft Outlook address book.

"It has been detected within major companies, big ones [this morning], almost every big one, because it's spreading through the PR agencies," said Raemund Genes, vice president for Europe of antivirus firm Trend Micro.

The virus is likely to hit U.S. home users hard today, since most major U.S. companies will have set up protection after Monday's attack, says Cluley. The easiest solution: Don't click on any attachments that claim to be pictures of Kournikova or end with ".vbs," and you won't get infected.

"Home users inevitably are going to be more lackadaisical about updating their software and they're probably going to be keener on looking at pictures of tennis players" than business users, he said.

The virus doesn't destroy files, but it can clog up and shut down mail servers. For e-mail-dependent companies like financial and media firms, that can mean major losses in productivity.

Rampaging Teenagers

The virus was concocted by someone calling himself "OnTheFly," according to Trend Micro. Experts there say OnTheFly is probably a Dutch teenager without much virus experience. He built the virus from a sort of "viruses for dummies" construction kit allowing wanna-be vandals to pick signatures, payloads and damage types from a point-and-click menu.

Construction kits are popular with unskilled kids who want to be seen as tough, Cluley said.

"More and more people are getting into computers, but the people who are getting into computers aren't necessarily as technical as the guys were five or 10 years ago ... [but] a 'cool' virus writer would never touch a construction kit," he said.

The real author of the virus is an Argentinian calling himself [K]Alamar, who built the construction kit. [K]Alamar is 17, according to his profile on the chat system ICQ, and on his Web site he claims to have written five original viruses. All are Microsoft Word macro or VBS viruses.

[K]Alamar is also a member of an Argentinian virus club including someone called "Pepe Lepu." But there's no evidence connecting him with Zulu, the most famous Argentinian virus author, who wrote the widespread BubbleBoy virus. [K]Alamar also hasn't released his viruses into the wild before, Genes said.

"He hasn't released viruses. He released different construction kits," he said.

Easily Curable

What's most frustrating about this virus, experts said, is that it's easily curable. Trend Micro's software has immunized computers from it since last July. Anyone who applied Microsoft's security patch for Outlook, released last year after the Love Bug, is immune. And, of course, you have to actually, voluntarily double-click on the attachment to become infected.

Cluley says the fact that so many businesses are being hit shows that corporate IT managers have dropped the ball in protecting their system. VBS files have no place in e-mail and "double extensions" like .jpg.vbs confuse users and have no productive purpose, he said.

Genes said he knows of firms which haven't updated their virus software in months. It's important to get regular updates, he said.

"You simply forget about the box sitting in the corner" running antivirus software, he said.

Here You Are

The virus, also called OnTheFly, SST, Kalamar_A or Lee_O, arrives in an e-mail titled "Here you have," "Here you are," or "Here you go," usually from a friend. Inside there's the phrase "Hi: Check This!" and an attachment of "AnnaKournikova.jpg.vbs" or something similar. Unsuspecting recipients may be fooled into thinking they are about to click on a photo of Kournikova, the blonde tennis star.

That .vbs extension and the attachment's snakelike icon mean it's a Visual Basic script, or VBS — in other words, a computer program, not a graphics file. The Love Bug and NewLove came in the same form. Like those viruses, this one only affects Microsoft Windows users with the Outlook e-mail program.

Once it sends a batch of messages out to everyone in a victim's address book, it lies dormant until the next Jan. 26, when it sends the victim's Web browser to www.dynabyte.nl, the site of a Dutch computer store. Experts speculated that might be an attempted denial-of-service attack against the computer store.