IWS - The Information Warfare Site
News Watch Make a  donation to IWS - The Information Warfare Site Use it for navigation in case java scripts are disabled

ASSESSMENT 01-001

"Anna Kournikova" also known as "VBS/SST" VBS Virus
February 12, 2001

Based upon investigations and information from other sources, the "Anna Kournikova" mass-mailing worm/virus is spreading rapidly throughout the Internet. Although it is propagating rapidly, it is seen as a low threat due to its apparently nondestructive payload. Although it does not infect files on the victim's systems, this mass-mailing worm can potentially clog e-mail servers because of the volume it generates. Administrators are advised to adjust their filtering software to block attachments with the name of Anna Kournikova.jpg.vbs. Additionally, users should not open any e-mails or attachments with the Anna Kournikova.jpg.vbs name.

VBS/SST.Worm is a Visual Basic Script worm that spreads via e-mail by using the MAPI applications such as Microsoft Outlook and Outlook Express. The worm arrives attached to an e-mail message that has the Subject line: "Here you have, ;o)" The message body contains the following text: "Hi: Check This!" The attachment to the e-mail message is a Visual Basic Script file named: "AnnaKournikova.jpg.vbs." When the attached program (the worm code) is executed, it copies itself to the Windows directory. It then adds the following digital signature to the registry key: "HKCU\software\OnTheFly\Worm made with Vbswg 1.50b." The worm then proceeds to send itself out to all addresses found in the Microsoft Outlook application.

The anti-virus software industry is aware of this worm and has created a signature file to detect and remove it . Full descriptions and removal instructions can be found at various anti-virus software firms web sites, including the following:

As always, users are advised to keep their anti-virus software current by checking their vendor's web sites frequently for new updates, and to check for alerts put out by NIPC, CERT/CC, and other cognizant organizations.

Please report any illegal or malicious activities to your local FBI office or the NIPC, and to your military or civilian computer incident response group, as appropriate. Incidents may be reported online at www.nipc.gov/incident/cirr.htm.