Anna virus author comes forward

A Dutch virus writer known as OnTheFly admits to writing the Anna Kournikova virus, while Excite@Home compiles evidence against him.

Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
Robert Lemos
3 min read
A Dutch virus writer known as OnTheFly admitted Tuesday to writing the Anna Kournikova virus, as Excite@Home compiled evidence against a subscriber in the Netherlands who is believed to be the same person.

"I didn't do it for fun," OnTheFly stated in a Web posting Tuesday. "I never wanted to harm the people who opened the attachment. But after all: it's their own fault they got infected."

The statement confirmed that OnTheFly used a readily available virus-writing tool, known as the Vbs Worm Generator, to create the Anna Kournikova virus, but exonerated the tool's author of aiding him.

Meanwhile, a source at Excite@Home has acknowledged that the company is trying to identify and ban a Dutch subscriber who appears to be OnTheFly. A previous virus, known as Iwa, had been posted to the alt.comp.virus.source.code newsgroup using Excite@Home Netherlands' network.

"We are working on it," said the Excite@Home source, who asked not to be named. "It is a clear violation of the acceptable use policy. We will come down hard and fast."

The information connecting OnTheFly and the Excite@Home subscriber had first been found by Richard Smith, chief technology officer of the Privacy Foundation and a key online detective in the Melissa virus case two years ago.

Also known as VBS/SST, VBS_Kalamar and VBS/OnTheFly, the Anna Kournikova virus initially poses as an attachment--AnnaKournikova.jpg.vbs--that has been included in an e-mail with one of several similar subject lines.

Anna hits Net hard
Tens of thousands of copies of the Anna virus were intercepted by e-mail service provider Mail.com, before the rate of spread fell off.
Time PST
# of copies intercepted
6 a.m. 21
8 a.m. 3,417
10 a.m. 11,194
12 p.m. 7,883
2 p.m. 4,451
4 p.m. 564
6 p.m. 239
8 p.m. 212
10 p.m. 64
Time PST
# of copies intercepted
12 a.m. 111
2 a.m. 109
4 a.m. 662
6 a.m. 1,315

Source: Mail.com

The attachment purports to be a photograph of Kournikova, a 19-year-old Russian tennis player.

The virus uses Visual Basic to infect Windows systems and then, on systems with Outlook, mails itself out to the entire address book. Its ability to mail itself to a large number of people classifies the virus as a worm.

"It's going to be more widespread than Melissa but less than the LoveBug," said Vincent Weafer, director of the Symantec AntiVirus Research Center.

As of 11:15 a.m. PST, major antivirus software makers had either posted patches to detect the virus or were already detecting it with the latest version.

"We are working on detection right now," said Weafer.

Melissa kicked off a new age of fast-spreading, hard-hitting worms in March 1999, when the macro virus flooded e-mail systems by using commands built into Microsoft Word to control e-mail. New Jersey programmer David Smith, who pled guilty to authoring and releasing the virus, is awaiting sentencing.

In May, a Visual Basic script virus masquerading as a love letter from a friend spread quickly after it was released from the Philippines. A 22-year-old computer school dropout, Onel de Guzman, has since been charged for crimes related to the release of the LoveLetter virus. Because of the lack of laws regarding computer crime in the Philippines, de Guzman is facing charges of credit-card fraud.

Like Melissa, the Anna Kournikova virus does not damage the systems that it has infected, Weafer said.

In his online admission, OnTheFly said a recent study by market researcher IDC, which concluded that surfers had not learned anything from recent virus attacks like LoveLetter, gave him the idea to write the virus.

"I think IDC is right," he wrote. "I also think that you agree with me, according to the rate of spreading."

In an interview via email, OnTheFly claimed to be 20 years old and from the Netherlands. He said he has no great knowledge of programming and regrets creating the virus. The authorities have yet to contact him, he wrote.

On Tuesday, security organizations and Internet service providers released data about Monday's spread of the virus. The Computer Emergency Response Team Coordination Center at Carnegie Mellon University said that more than 100 sites reported encountering the virus Monday.

E-mail service provider Mail.com reported that nearly 53,000 copies of the virus directed at its customers were intercepted by its server Monday, while British-based rival MessageLabs confirmed another 5,800.

The FBI is still assessing the virus attack and hasn't yet decided whether to pursue the case, spokeswoman Deborah Weierman said.