From: Tech_savvy
EMail: bookwormz_99@yahoo.com
1. 'ANNA' VIRUS HYPE DEFLATED There's been a lot of buzz in the last day or so about the 'Anna Kournikova' virus that is just the latest worm to spread across the Internet and cause trouble for people along the way. We know of at least one large organization that got caught and effectively lost a day's productivity due to this virus.
As usual however, what scares us more than the virus (which is actually nothing very new) is the self serving hype that surrounds it. Otherwise sensible media outlets publish the first unproven nonsense that is sent by the PR companies of anti-virus makers. Those makers have a vested interest in overstating the danger and spread of the virus. For an analysis of the real spread of 'Anna' and the hype see Rob Rosenbergers latest rant http://vmyths.com/rant.cfm?id=302&page=4
Worse still, some of the recommendations for protection come without any warnings of the downside. So we've brought this issue out a little early to dispel some rumors and warn you about the warnings.
We'll tell you what to look out for, not just for this virus but for this type of nastie. We'll check out the downside of some alleged protection measures and see why this virus writer isn't very clever at all.
Most importantly we'll tell you the downside of the protection measures being offered and offer an important suggestion that's been surprisingly missing elsewhere.
Apologies in advance to regular WOWsers who'll get a sense of deja vu reading this ... like we said there's little that's new in this latest virus scare.
2. WHAT TO LOOK FOR IN ANNA AND HER FRIENDS The 'Anna' virus itself isn't very sophisticated despite the hype. It's based on a range of similar viruses in the past, one intentional but dangerous default in Windows and some knowledge of what makes people click (literally). The 'official' name for this virus is VBS_Kalamar.A also known as VBS.Lee-o or VBS.OnTheFly .
An incoming infected message generated by the worm looks like this:
Subject: Here you have, ;o) Or some variation on that title
Body: Hi: Check This!
Attachment: AnnaKournikova.jpg.vbs
If you click on the attachment (that seems to be a picture to the unwary) then the virus will start mailing itself to people and groups in your address book.
It also writes an entries to the registry (HKEY_CURRENT_USER \software\OnTheFly and HKEY_CURRENT_USER\Software\OnTheFly\mailed ) so it knows that it has already run on that computer. On the 26th January (co-incidentally Australia Day) it will try to connect to a Dutch web site.
The virus continues to run in the background on the computer, if you try to delete it, the virus will try to re-create itself on your hard drive. An error in the virus means this part doesn't work and you get a zero length file instead.
There's no direct damage caused by the virus and no files are erased, renamed or damaged. The trouble is likely to be caused by the mass emailing which can overload a corporate email system.
What makes this virus effective isn't any technical ability, but its the marketing. Making the attachment look like a harmless picture and a picture of a well-known and attractive tennis player is the bit that made this virus the center of attention for a day or so.
Ironically we're seeing virus writers follow the lead of Microsoft. Like the company they love to hate, instead of great technical innovations the virus makers are relying on cleverer marketing.
3. WHO IS ON THE HIT LIST To be infected all you need is a computer that has Windows Scripting Host (WSH) installed. That means Windows 98, 2000 or Wind