Penn State logo

E-mail Virus Advisory for Microsoft Outlook Users

A new variation of an old computer virus disguised as a photograph of Russian tennis player Anna Kournikova has infected world-wide computer systems, including Penn State's, during the past week. Microsoft Outlook users who do not have the latest virus protection software are affected. Mail arrives with the subject line "Here you have :0" and contains an attachment named annakournikova.jpg.vbs. (Note that the subject line and attachment name may change as the virus spreads.) When a user opens the attachment, the virus attempts to modify the registry in order to copy itself into the Windows directory. The virus will then attempt to send infected mail messages to the addresses in the Windows Address Book. By causing congestion through self-propagation, the virus can also cause mail server performance problems. For further details, see the article "CERT® Advisory CA-2001-03 VBS/OnTheFly (Anna Kournikova) Malicious Code." The article is available at http://www.cert.org/advisories/CA-2001-03.html and has also been reproduced below for your convenience.

Do not open any e-mail attachment unless you are expecting the file and know it is from a reliable source, especially if you are using Microsoft Outlook, a Windows e-mail software package. The CAC strongly urges computer owners to prevent problems by taking the following steps: (1) Install the most current virus-protection software; (2) Routinely update the product (weekly at least); (3) Back up your files on a regular basis; and (4) Stay informed on virus news and software vulnerability issues. Because an increasing number of viruses cannot be "cleaned" by simply running the "latest" virus checker if you are already infected, preventing infection is the wise course of action.

If you receive mail that you believe contains a virus, or you think your machine may already be infected with a virus, contact the Center for Academic Computing (CAC) Help Desk at (814) 863-1035 or (814) 863-2494.

For your convenience, the following article has been reproduced in its entirety by the Center for Academic Computing (CAC) with permission of the authors. (Source: http://www.cert.org/advisories/CA-2001-03.html )

CERT® Advisory CA-2001-03 VBS/OnTheFly (Anna Kournikova) Malicious Code

Original release date: February 12, 2001
Last revised: February 12, 2001
Source: CERT/CC

A complete revision history can be found at the end of this file.

Systems Affected

Users of Microsoft Outlook who have not applied previously available security updates.

Overview

The "VBS/OnTheFly" malicious code is a VBScript program that spreads via email. As of 7:00 pm EST(GMT-5) Feb 12, 2001, the CERT Coordination Center had received reports from more than 100 individual sites. Several of these sites have reported suffering network degradation as a result of mail traffic generated by the "VBS/OnTheFly" malicious code.

This malicious code can infect a system if the enclosed email attachment is run. Once the malicious code has executed on a system, it will take the actions described in the Impact section.

I. Description

When the malicious code executes, it attempts to send copies of itself, using Microsoft Outlook, to all entries in each of the address books. The sent mail has the following characteristics:

  • SUBJECT: "Here you have, ;o)"

  • BODY:
    Hi:
Check This!
  • ATTACHMENT: "AnnaKournikova.jpg.vbs"

Users who receive copies of the malicious code via electronic mail will probably recognize the sender. We encourage users to avoid executing code, including VBScripts, received through electronic mail, regardless of the sender's name, without prior knowledge of the origin of the code or a valid digital signature.

It is possible for the recipients to be be tricked into opening this malicious attachment since file will appear without the .VBS extension if "Hide file extensions for known file types" is turned on in Windows.

II. Impact

When the attached VBS file is executed, the malicious code attempts to modify the registry by creating the following key:

HKEY_CURRENT_USER\Software\OnTheFly="Worm made with Vbswg 1.50b"
Next, the it will then place a copy of itself into the Windows directory.
C:\WINDOWS\AnnaKournikova.jpg.vbs
Finally, the malicious code will attempt to send separate, infected email messages to all recipients in the Windows Address Book. Once the mail has been sent, the malicious code creates the following registry key to prevent future mailings of the malicious code.
HKEY_USERS\.DEFAULT\Software\OnTheFly\mailed=1
The code's propagation can lead to congestion in mail servers that may prevent them from functioning as expected.

Beyond this effect, there does not appear to be a destructive payload associated with this malicious code. However, historical data has shown that the intruder community can quickly modify the code for more destructive behavior.

III. Solution

Update Your Anti-Virus Product

It is important for users to update their anti-virus software. Some anti-virus software vendors have released updated information, tools, or virus databases to help combat this malicious code. A list of vendor-specific anti-virus information can be found in Appendix A.

Apply the Microsoft Outlook E-mail Security Update

To protect against this malicious code, and others like it, users of Outlook 98 and 2000 may want to install the Outlook E-mail Security update included in an Outlook SR-1. More information about this update is available at

http://office.microsoft.com/2000/downloaddetails/Out2ksec.htm

You may also find the following document on Outlook security useful

http://www.microsoft.com/office/outlook/downloads/security.htm

The Outlook E-mail security update provides features that can prevent attachments containing executable content from being displayed to users. Other types of attachments can be configured so that they must be saved to disk before they can be opened (or executed). These features may greatly reduce the chances that a user will incorrectly execute a malicious attachment.

Filter the Virus in Email

Sites can use email filtering techniques to delete messages containing subject lines known to contain the malicious code, or can filter attachments outright.

Exercise Caution When Opening Attachments

Exercise caution when receiving email with attachments. Users should disable auto-opening or previewing of email attachments in their mail programs. Users should never open attachments from an untrusted origin, or that appear suspicious in any way. Finally, cryptographic checksums should also be used to validate the integrity of the file.

IV. General protection from email Trojan horses and viruses

Some previous examples of malicious files known to have propagated through electronic mail include:
Melissa macro virus - discussed in CA-99-04 http://www.cert.org/advisories/CA-1999-04.html

False upgrade to Internet Explorer - discussed in CA-99-02 http://www.cert.org/advisories/CA-1999-02.html

Happy99.exe Trojan Horse - discussed in IN-99-02 http://www.cert.org/incident_notes/IN-99-02.html

CIH/Chernobyl virus - discussed in IN-99-03 http://www.cert.org/incident_notes/IN-99-03.htm

In each of the above cases, the effects of the malicious file are activated only when the file in question is executed. Social engineering is typically employed to trick a recipient into executing the malicious file. Some of the social engineering techniques we have seen used include
  • Making false claims that a file attachment contains a software patch or update
  • Implying or using entertaining content to entice a user into executing a malicious file
  • Using email delivery techniques that cause the message to appear to have come from a familiar or trusted source
  • Packaging malicious files in deceptively familiar ways (e.g., use of familiar but deceptive program icons or file names)
The best advice with regard to malicious files is to avoid executing them in the first place. CERT advisory CA-1999-02.html and the following CERT tech tip discuss malicious code and offers suggestions to avoid them.

http://www.cert.org/advisories/CA-1999-02.html

Tech tip: Protecting yourself from Email-borne Viruses and Other Malicious Code During Y2K and Beyond

Appendix A. - Vendor Information

Appendix A. Anti-Virus Vendor Information

Aladdin Knowledge Systems

http://www.aks.com/home/csrt/valerts.asp#AnnaK

Command Software Systems, Inc.

http://www.commandcom.com/virus/vbsvwg.html

Computer Associates

http://ca.com/virusinfo/virusalert.htm#vbs_sstworm

F-Secure

http://www.f-secure.com/v-descs/onthefly.shtml

Finjan Software, Ltd.

http://www.finjan.com/attack_release_detail.cfm?attack_release_id=47

McAfee

http://www.mcafee.com/anti-virus/viruses/vbssst/default.asp

Dr. Solomon, NAI

http://vil.nai.com/vil/virusSummary.asp?virus_k=99011

Sophos

http://www.sophos.com/virusinfo/analyses/vbsssta.htm

Symantec

http://www.symantec.com/avcenter/venc/data/vbs.sst@mm.html

Trend Micro

http://www.antivirus.com/pc-cillin/vinfo/virusencyclo/default5.asp?VName=VBS_KALAMAR.A
You may wish to visit the CERT/CC's Computer Virus Resources Page located at:

http://www.cert.org/other_sources/viruses.html

This document was written by Cory Cohen, Roman Danyliw, Ian Finlay, John Shaffer, Shawn Hernan, Kevin Houle, Brian B. King, and Shawn Van Ittersum.

This document is available from: http://www.cert.org/advisories/CA-2001-03.html

CERT/CC Contact Information

Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.
CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends.

Using encryption

We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from

If you prefer to use DES, please call the CERT hotline for more information.

Getting security information

CERT publications and other security information are available from our web site

To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message

subscribe cert-advisory

* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office.

NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement.
Conditions for use, disclaimers, and sponsorship information

Copyright 2001 Carnegie Mellon University.

Revision History 

February 12, 2001: Initial release
The Pennsylvania State University ©2001. All rights reserved.
Alternative Media - Nondiscrimination Statement
This site maintained by Consulting & Support Services, a unit of Information Technology Services.
Consulting and Support Services Staff Directory

For assistance please write to the Help Desk or see our Help Sources.
Provide site feedback to the CSS Web Group .

Last revised: Thursday, February 15, 2001.