Bug Watch: How Anna exploited human nature

Unless you've been potholing or stuck up a mountain this week, you will know that hundreds of thousands of computer users across the world have been hit by a worm posing as a picture of the glamorous tennis player, Anna Kournikova. As a result, the author of the virus has achieved his 15 minutes of fame.

The worm itself is remarkably simple and was constructed using one of the many 'virus kits' that are readily available on the internet. It uses the well-known double extension trick, which means that the file AnnaKournikova.jpg.vbs would have appeared on most machines as a harmless .jpg image.

However, the spread of the worm was facilitated mainly by the promise of a picture of Ms Kournikova. This worm is the latest to appeal directly to one of our most basic urges - sex. The fact that so many people opened the attachment is disappointingly predictable.

It seems that no matter how many times users are told not to open unsolicited attachments, all sense of reason flies out of the window as soon as mail hits their inbox. The alleged author of the worm has since claimed that it was written as a warning to those users who have learnt nothing in the aftermath of the Love Bug. Although what he has done is inexcusable, he's got a point.

The effects of allowing a virus or worm into your organisation can be devastating. Important data can be lost, financial figures corrupted and confidential documents can wing their way straight into a competitor's inbox. If the worst happens, and you are forced to shut down your systems, the financial losses can be huge. So why are we so complacent about protecting ourselves?

It isn't even a matter of spending huge amounts of money. There are a number of measures which can be taken to dramatically reduce the chances of infection. One small change to your Outlook set-up can stop any file with a .vbs extension from running, and any files with double extensions can easily be blocked at your email gateway. These two steps are simple to do, cost nothing and would have stopped this worm in its tracks.

Most importantly, IT administrators should remember that the secret to secure computing does not come in a box. Internet-level virus checking, content scanning and so on all have a role to play, but nothing secures your defences like user education.

Safe computing training should be part of any company's basic induction programme. No employee should be allowed to switch on a computer without being told how to use it and how not to abuse it. This initial training needs to be followed up on a regular basis to make sure that these practices become second nature and that everyone realises how important they are.

After all, if you are a user, do you want to have to explain to your contacts that you forwarded a virus to them because you couldn't find the time to learn about basic computer safety? If you are the IT support department, do you want to explain to your users that you had to shut down the email server for hours because you couldn't take the time to conduct a training session? If you are the boss, do you want to explain to your customers that you couldn't deliver because IT security wasn't a high enough priority?

If you can successfully control your users' curiosity, you should be able to avoid your 15 minutes of shame.

Next edition: 23 February