Anna virus the work of 'script kiddies'

Antivirus experts have warned that the AnnaKournikova.jpg.vbs virus highlights the ease with which someone with very little technical knowledge can create malicious code capable of spreading around the world in a matter of minutes.

The virus, which spread like wildfire late last night, is known as VBS/SST-A and arrives in an email with the subject line "Here you have,;0)" and includes the AnnaKournikova.jpg.vbs attachment.

But instead of displaying a picture of the tennis star, the bug uses the Visual Basic scripting language to infect Outlook and mails itself out to contacts in the infected user's address book.

Eric Chien, chief researcher at Symantec, explained that the virus was actually created with a virus writing kit, known as Vbs Worms Generator 1.50b, which is readily available on the internet.

"The kit was originally created by someone in Argentina and is relatively simple to use. The creator of AnnaKournikova hasn't even added any unique characteristics, it could have been put together by a script kiddie," he said.

But Chien added that the virus was made dangerous through social engineering. "People expected a picture of Anna Kournikova, so they opened the attachment," he said.

Other experts believe that the main problem caused by the virus at the moment is the flooding of mail servers, as the script causes the virus to email itself to everyone in the user's Outlook address book.

Sal Viveros, a spokesman for security firm Network Associates, said: "The mail storm created by this virus is bringing servers down everywhere, making it a high risk case. People have become complacent since the Love Bug virus. We had reports of around 150 enterprises being hit yesterday."

Mikko Hypponen, research manager at F-Secure, added that the virus uses encryption to disguise itself, but that this was a characteristic included in the creation kit.

One user commented in a newsgroup: "Trivial stuff, really. What's the pity, is that it works. This ... simple construction kit virus has got past the script heuristics of most [antivirus software] on the market! Has to be the case. [There's] no other way it could it move so fast through corporate sites. Pathetic."

The code also sets up a registry key named 'Onthefly' allowing a user to detect it easily.

A second payload is also set for release on 26 January when the code will open an infected host's browser and send it to the homepage of Dutch computer shop Dynabyte at www.dynabyte.nl. Chien speculated that the code could have been created by a disgruntled employee or customer of the firm.