For Home

Virus Profile: VBS/VBSWG.gen@MM

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 2/11/2001
Date Added: 2/12/2001
Origin: Virus Creation Kit
Length: Varies
Type: Virus
Subtype: VbScript
DAT Required: 4092
Removal Instructions
   
 
 
   

Description

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

Note: As there are several variants of this virus, your symptoms may vary from those listed below.

- Presence of the file "c:\WINDOWS\AnnaKournikova.jpg.vbs"
- Presence of the registry key: HKEY_USERS\.DEFAULT\Software\OnTheFly
- Users complaining that you've sent them a virus.

Methods of Infection

This script arrives as an email attachment which. Opening this attachment infects your machine. Once infected, the script attempts to mail itself to all recipients found in the Windows Address Book.

Aliases

Anna Kournikova, AnnaKournikova, VBS.VBSWG.J (CA), VBS/Anna, VBS/OnTheFly@mm (F-Secure), VBS/SST (VirusScan), VBS/SST-A (Sophos), VBS/SST.A (Panda), VBS/SST.Worm (CAI), VBS/SST@MM (VirusScan), VBS/VBSWG.j@MM , VBS_Kalamar.a (Trend)
   

Virus Characteristics

AVERT first discovered this virus family in August of 2000. Our advanced technology and detection techniques provided customers with accurate protection from this new variant prior to its release, starting more than six months ago with the 4092 DAT release. Users are reminded to regularly update to the current engine and DATs to ensure maximum protection against today's threats.

Note: Ensure that the extensions .VBS is included when scanning. This is a default setting with product version 4.5 and later.

This virus is in the same family as VBS/SST.gen@MM.

This script was created by a worm generating tool. As such, the particulars of its actions may vary. The most common variant functions as follows.

When run, the encrypted script copies itself to the WINDOWS directory as "AnnaKournikova.jpg.vbs". It attempts to mail a separate email message, using MAPI messaging, to all recipients in the Windows Address Book using the following information:

Subject: Here you have, ;o)
Body:
Hi:
Check This!

Attachment: AnnaKournikova.jpg.vbs

It also creates a registry key and key values. The script refers to these values to check if the mailing routine has already taken place:

HKEY_USERS\.DEFAULT\Software\OnTheFly
HKEY_USERS\.DEFAULT\Software\OnTheFly\mailed=(1 for yes)

On January 26th, the script attempts to connect to the web site http://www.dynabyte.nl

Both Network Associates and McAfee.com refer to the virus commonly known as the "Anna Kournikova Virus" and/or the "Anna Virus" in order to identify a specific public virus threat. Network Associates and McAfee.com intend no reference to the actual person whose name has unfortunately become associated with the Internet virus.

   
Use current engine and DAT files for detection and removal.

Using File Filtering with WebShield SMTP for WindowsNT(not applicable for Solaris):
Within the Configuration console select content filtering.
Select Add.
Add a Description for the content filter rule such as VBSBlock.
Select Filter on Attachment File name.
Filter on .vbs
Select OK.

Additional Windows ME/XP removal considerations

AVERT Recommended Updates:

* Office2000 Updates

* scriptlet.typelib/Eyedog vulnerability patch

* Outlook as an email attachment security update

* Exchange 5.5 post SP3 Information Store Patch 5.5.2652.42 - this patch corrects detection issues with GroupShield

For a list of attachments blocked by the Outlook patch and a general FAQ, visit this link.
Additionally, Network Administrators can configure this update using an available tool - visit this link for more information.