AVERT first discovered this virus family in August of 2000. Our advanced technology and detection techniques provided customers with accurate protection from this new variant prior to its release, starting more than six months ago with the 4092 DAT release. Users are reminded to regularly update to the current engine and DATs to ensure maximum protection against today's threats.
Note: Ensure that the extensions .VBS is included when scanning. This is a default setting with product version 4.5 and later.
This virus is in the same family as VBS/SST.gen@MM.
This script was created by a worm generating tool. As such, the particulars of its actions may vary. The most common variant functions as follows.
When run, the encrypted script copies itself to the WINDOWS directory as "AnnaKournikova.jpg.vbs". It attempts to mail a separate email message, using MAPI messaging, to all recipients in the Windows Address Book using the following information:
Subject: Here you have, ;o)
It also creates a registry key and key values. The script refers to these values to check if the mailing routine has already taken place:
HKEY_USERS\.DEFAULT\Software\OnTheFly\mailed=(1 for yes)
On January 26th, the script attempts to connect to the web site http://www.dynabyte.nl
Both Network Associates and McAfee.com refer to the virus commonly known as the "Anna Kournikova Virus" and/or the "Anna Virus" in order to identify a specific public virus threat. Network Associates and McAfee.com intend no reference to the actual person whose name has unfortunately become associated with the Internet virus.