Anna virus rushes the Net
A virus posing as a photo of Russian tennis player Anna Kournikova is spreading aggressively, as major security companies rush to update their antivirus software.
"Compared to the 'Love Bug', it's spreading twice as fast," said Alex Shipp, antivirus technologist with British e-mail service MessageLabs. In the five hours since MessageLabs detected the infection, its users have received almost 2,900 copies of the infected e-mail sent from more than 290 different domains.
Also known as VBS/SST, the virus initially poses as an attachment--AnnaKournikova.jpg.vbs--included in a message with one of three similar subject lines: "Here you are ;-)," "here you have ;o)" and "here you go ;-)."
The virus uses the Visual Basic scripting language to infect Windows systems and then, on systems using Microsoft's Outlook e-mail program, mails itself out to the entire address book. The ability to mail itself out to a large number of Internet users classifies the virus as a worm.
The virus does not damage the systems it has infected, said Vincent Weafer, director of Symantec's AntiVirus Research Center.
And while the virus has only a few subject lines--which makes it easy for network administrators to filter it out before it ever reaches the desktop--it does use encryption to make it harder for antivirus software to detect it.
"Internally, it's highly polymorphic, which means it changes its signatures to hide itself from antivirus software," said Weafer. He said SARC has only seen 20 copies of the virus but expects it to spread quickly.
As of 11:15 a.m. PST, major antivirus software makers had either posted patches to detect the virus or were already detecting it with the latest version.
"We are working on detection right now," said Weafer.
Virus alert | |
|
Antivirus software maker Trend Micro said the virus had hit many different types of companies.
"We have heard from a government agency that has seen 200 hits per hour," spokeswoman Susan Orbuch said. "Others include a banking institution, a major networking company, a beverage company and an insurance company. You are not just seeing it in one sector."
Several experts believe the worm to be the product of a so-called "virus creation kit," a program that lets any online vandal with rudimentary computer skills to point-and-click their way to creating malicious code.
Trend Micro's software detected the virus originally as VBS_KALAMAR, and believes that Kalamar is the name of the author of the virus creation kit.