Virus!!! Don't open: Re:Here you have,:o] Virus!!!

Wes Witten raindance at BIGFOOT.COM
Mon Feb 12 22:56:10 EST 2001 

Don't open any email with this subject line it is a virus:

Re:Here you have,:o]

Here is the reason not to open it. The reason is copied below.

Thanks,

Wes Witten

 =============================================================================================================================================================================================================================



We have been quarantining this virus all morning.  NAI has put this
virus as
HIGH RISK.  If you receive it, DO NOT OPEN IT, DELETE IT.  If you have
any
question please call the Helpdesk at 713-308-9355.


Summary



Virus Name      Risk Assessment
VBS/SST at MM      High


Virus Information
Discovery Date:         08/14/2000
Origin:         Unknown
Length:         Varies
Type:   Virus
SubType:        VbScript
Minimum Dat:    4092
Minimum Engine:         4.0.35
DAT Release Date:       08/23/2000
Description Added:      02/12/2001


Virus Characteristics
AVERT first discovered this threat in August of 2000. The 4092 DATs are
required for detection. Users should update to current engine and DATs
to
ensure maximum protection.


Note: Ensure that the extensions .VBS is included when scanning. This is
a
default setting with product version 4.5 and later.


This script was created by a worm generating tool. As such, the
particulars
of its actions may vary. The most common variant functions as follows.


When run, the script copies itself to the WINDOWS directory as
"AnnaKournikova.jpg.vbs". It attempts to mail a separate email message,
using MAPI messaging, to all recipients in the Windows Address Book
using
the following information:


Subject: Here you have, ;o)
Body:
Hi:
Check This!


Attachment: AnnaKournikova.jpg.vbs


It also creates a registry key and key values. The script refers to
these
values to check if the mailing routine has already taken place:


HKEY_USERS\.DEFAULT\Software\OnTheFly
HKEY_USERS\.DEFAULT\Software\OnTheFly\mailed=(1 for yes)


On January 26th, the script attempts to connect to the web site
http://www.dynabyte.nl


Symptoms
- Presence of the file "c:\WINDOWS\AnnaKournikova.jpg.vbs"
- Presence of the registry key: HKEY_USERS\.DEFAULT\Software\OnTheFly
- Users complaining that you've sent them a virus.



Method Of Infection
This script arrives as an email attachment which. Opening this
attachment
infects your machine. Once infected, the script attempts to mail itself
to
all recipients found in the Windows Address Book.


Removal Instructions
Use specified engine and DAT files for detection and removal. Delete any
file which contains this detection.


Variants
Name    Type    Sub Type        Differences
no known variants


Aliases
Name
Anna Kournikova
AnnaKournikova
VBS/Anna
VBS/SST
VBS/SST-A (Sophos)
VBS/VBSWG.J (F-Prot)
VBS_Kalamar.a (Trend)





David Horn
Network/Desktop Administrator
713-308-9373
dhorn at midf.com <mailto:dhorn at midf.com>

More information about the Boatanchors mailing list