The Internet-Worm "Kournikova" Pursues Fans of the Famous Tennis Player

12 Feb 2001
Virus News

But not those using Kaspersky Anti-Virus

Cambridge, United Kingdom, February 13, 2001 - Kaspersky Lab, an international data-security software development company, reports the discovery "in the wild" of the new modification of the "Lee" worm going by the moniker of "Kournikova". The new worm already has managed to infect many computer systems in both North America and East Asia. At the same time, the worm poses no threat to Kaspersky Anti-Virus users due to the program's unique integrated heuristic code analyser designed to combat against unknown viruses - Kaspersky AV is able to detect the worm without any additional updates to the anti-virus database.

The worm's operating and spreading routines are very similar to the "ILOVEYOU" worm that caused a global epidemic at the beginning of May last year. "Kournikova" has been created using the popular virus creation kit "[K]Alamar's Vbs Worms Creator," which enables even novice users to generate their own customized script viruses. The worm is written in Visual Basic Script (VBS) programming language although its source code cannot be seen, since the worm's body is encrypted. The worm spreads via e-mail messages containing an infected attachment named "AnnaKournikova.jpg.vbs."

After the infected file is executed, the worm registers itself in the Windows system registry, and unbeknownst to a user, sends out e-mail messages with its copies to all the recipients found in the Microsoft Outlook address book. In order to avoid multiple e-mail distribution from the same system, the worm creates an additional entry in the Windows system registry:

HKEY_CURRENT_USER\Software\OnTheFly\mailed

The worm contains no dangerous payload. In addition to mass mailing from an infected system, thus, overloading communication channels, "Kournikova" activates the default Internet browser and directs it to a Dutch Web site on January 26.

Just like "ILOVEYOU," this worm uses the "double extension" trick in order to disguise its malicious intensions. The presence of the "JPG.VBS" extension in the file name confuses users believing there can be no malicious code in JPG image files. This fallacy creates a false sense of security, causing users to run the infected file.

"The 'Kournikova' worm is certainly not something extraordinary that will shake the foundations of civilization. This is just yet another script worm that uses well-known penetration and spreading techniques. The only reason why it has managed to get into so many computer systems is the Anna Kournikova front. Although recognized as a good tennis player on the WTA circuit, Kournikova is better known for her pin-up looks that have men in raptures. Many users are so eager to see a picture of her that they simply forget the basic rule of computer hygiene, alluring them into running the infected file," said Denis Zenkin, Head of Corporate Communications for Kaspersky Lab.

Infection Prevention

So as not to allow the "Kournikova" worm to penetrate a system, Kaspersky Lab highly recommends that under no circumstances should the file bearing the name "AnnaKournikova.jpg.vbs" be opened. Network engineers are encouraged to set up e-mail filtering systems so as to block incoming and outgoing e-mail containing this file.

Infection Removal

In order to remove the worm from a system, simply follow these instructions:

1) Delete the "AnnaKournikova.jpg.vbs" file from the Windows system folder;

2) Delete the following Windows system registry keys:

HKEY_CURRENT_USER\Software\OnTheFly
HKEY_CURRENT_USER\Software\OnTheFly\mailed

For Kaspersky Anti-Virus users, we would like to reiterate the program detects this worm automatically without any updates needed.

Kaspersky Anti-Virus can be purchased in the Kaspersky Lab online store or from a worldwide network of Kaspersky Anti-Virus distributors and resellers.