[ILUG] Kournikova virus

Ray Quinn quinnray at utvinternet.com
Tue Feb 13 12:19:33 GMT 2001 

FYI:

Currently listed as high risk.

This script was created by a worm generating tool. As such, the particulars
of its actions may vary. The most common variant functions as follows.

When run, the script copies itself to the WINDOWS directory as
"AnnaKournikova.jpg.vbs". It attempts to mail a separate email message,
using MAPI messaging, to all recipients in the Windows Address Book using
the following information:

Subject: Here you have, ;o)
Body:
Hi:
Check This!

Attachment: AnnaKournikova.jpg.vbs

It also creates a registry key and key values. The script refers to these
values to check if the mailing routine has already taken place:

HKEY_USERS\.DEFAULT\Software\OnTheFly
HKEY_USERS\.DEFAULT\Software\OnTheFly\mailed=(1 for yes)

On January 26th, the script attempts to connect to the web site
http://www.dynabyte.nl

Indications Of Infection
- Presence of the file "c:\WINDOWS\AnnaKournikova.jpg.vbs"
- Presence of the registry key: HKEY_USERS\.DEFAULT\Software\OnTheFly
- Users complaining that you've sent them a virus.


Method Of Infection
This script arrives as an email attachment which. Opening this attachment
infects your machine. Once infected, the script attempts to mail itself to
all recipients found in the Windows Address Book.

Removal Instructions
Use specified engine and DAT files for detection and removal. Delete any
file which contains this detection.

Virus Information
     Discovery Date: 8/14/00
     Origin: Virus Construction Kit, Intentional
     Length: Varies
     Type: Virus
     SubType: VbScript
     Risk Assessment: High


Aliases
Anna Kournikova, AnnaKournikova, VBS/Anna, VBS/SST, VBS/SST-A (Sophos),
VBS/SST.A (Panda), VBS/VBSWG.J (F-Prot), VBS_Kalamar.a (Trend)


-----Original Message-----
From: Gerard J Keating <gerard.keating at fintrax.com>
Cc: ilug at linux.ie <ilug at linux.ie>
Date: 13 February 2001 12:12
Subject: [ILUG] Kournikova virus


>
>I assume people have seen the last virus warning, the Kournikova virus is a
vbs
>script file disguised as a jpg of the bold ms Kournikova.
>
>
>
>--
>Gerard Keating              Tully
>Fintrax Teo                 Ballinahown
>Tel: +353 91 558205         Galway
>Fax: +353 91 558222         Rep. of Ireland
>
>--
>Irish Linux Users' Group: ilug at linux.ie
>http://www.linux.ie/mailman/listinfo/ilug for (un)subscription information.
>List maintainer: listmaster at linux.ie
>

More information about the ILUG mailing list