Anna virus rushes the Net

A virus posing as a photo of Russian tennis player Anna Kournikova spread aggressively on Monday, as major security companies rushed to update their antivirus software to detect the fast-spreading e-mail virus.

"Compared to the 'Love Bug', it's spreading twice as fast," said Alex Shipp, antivirus technologist with British e-mail service MessageLabs. In the five hours since MessageLabs detected the infection, its users have received almost 2,900 copies of the infected e-mail sent from more than 290 different domains.

Also known as VBS/SST, the virus initially poses as an attachment--AnnaKournikova.jpg.vbs--included in a message with one of three similar subject lines: "Here you are ;-)," "here you have ;o)" and "here you go ;-)."

The virus uses the Visual Basic scripting language to infect Windows systems and then, on systems using Microsoft's Outlook e-mail program, mails itself out to the entire address book. The ability to mail itself out to a large number of Internet users classifies the virus as a worm.

The virus does not damage the systems it has infected, said Vincent Weafer, director of Symantec's AntiVirus Research Center.

And while the virus has only a few subject lines--which makes it easy for network administrators to filter it out before it ever reaches the desktop--it does use encryption to make it harder for antivirus software to detect it.

"Internally, it's highly polymorphic, which means it changes its signatures to hide itself from antivirus software," said Weafer. He said SARC has only seen 20 copies of the virus but expects it to spread quickly.

As of 11:15 a.m. PST, major antivirus software makers had either posted patches to detect the virus or were already detecting it with the latest version.

"We are working on detection right now," said Weafer.

Virus alert

Name: VBS/SST; VBS/AnnaKournikova What it does: If attachment is opened, the virus will infect a computer's hard drive. Although it appears to be non-destructive, the virus will send itself in an e-mail to the entire address book. A code in the virus indicates that if it infects a computer on Jan. 26 of any year, it will redirect people to a Web site in the Netherlands. Means of transmission: E-mail. Uses Microsoft's Outlook to replicate. How to recognize: Arrives as an e-mail with one of three similar subject lines, Here you are ;-), here you have ;o), and here you go ;-). Contains a file, AnnaKournikova.JPG.VBS, that purports to be a photo of tennis player Anna Kournikova. Who is at risk: Any Windows 95, 98, Me, 2000 and NT owner who is running the Windows scripting host and who has not installed the latest security patch.

Businesses which had detected the virus or had been infected by it kept the security companies busy early Monday. Symantec had received 20 calls from clients in the morning, Network Associates almost 50, Computer Associates nearly 25 and Trend Micro a dozen.

Antivirus software maker Trend Micro said the virus had hit many different types of companies.

"We have heard from a government agency that has seen 200 hits per hour," spokeswoman Susan Orbuch said. "Others include a banking institution, a major networking company, a beverage company and an insurance company. You are not just seeing it in one sector."

Several experts believe the worm to be the product of a so-called "virus creation kit," a program that lets any online vandal with rudimentary computer skills to point-and-click their way to creating malicious code.

Trend Micro's software detected the virus originally as VBS_KALAMAR, and believes that Kalamar is the name of the author of the virus creation kit.