-----BEGIN PGP SIGNED MESSAGE-----

===========================================================================
A  U  S  C  E  R  T                                           A  L  E  R  T
                                      
                        AL-2001.01  --  AUSCERT ALERT
                   AnnaKournikova.jpg.vbs (Onthefly) Worm
                              13 February 2001

===========================================================================

PROBLEM:  

	AusCERT has received information about a new virus known as the
	Onthefly worm. This worm has been reported from several sources
	within a very short period of time, indicating that it may be
	propagating rapidly.

	The worm is received via email in the form of an attachment named
	"AnnaKournikova.jpg.vbs". The email message has the subject line:
		
		Here you have, ;o)

	The body of the email will contain the message:

		Hi:
		Check This!

	Executing the worm by attempting to open the attachment will cause
	this VBS file to be copied (as AnnaKournikova.jpg.vbs) to the
	Windows directory and then resent, as an email attachment, to all
	recipients in all address books, updating the system registry as
	it does so to ensure this action is only taken once. The worm will
	also attempt to open the web browser and connect to a web site in
	the Netherlands on January 26, but this action appears to be
	benign.


IMPACT:   

	The worm is non-destructive at this stage, it appears to be
	designed for propagation only. Minor alterations are made to the
	Windows registry for worm version information and for the addition
	of a flag to prevent a repeat of the mailout.


RECOMMENDATIONS: 

	A. User Education

	System Administrators are urged to inform their users about proper
	precautions with regards to handling email attachments.

	AusCERT recommends that sites should update and check their virus
	defences and either delete or do not open any email messages or
	attachments that resemble those described above or in the following
	links.

	B. E-Mail Security Update

	System administrators and users employing Microsoft Outlook 98/2000
	may wish to install the Outlook Security Update available from 

	  http://www.microsoft.com/office/outlook/downloads/security.htm

	The White Paper "Outlook 98/2000 E-Mail Security Update"
	explains:

	"Many damaging viruses, such as the ILOVEYOU virus, spread
	by automatically e-mailing themselves to multiple recipients
	in a user's Global Address Book. The only way to prevent
	viruses from automatically propagating is to block programmatic
	access to the features in Outlook that viruses use to spread
	themselves. The security update blocks programmatic access
	to the Send capabilities and to all e-mail address information
	stored in Outlook, including the Contacts folder, Personal
	Address Book, address fields in Outlook forms such as the
	To: field, and the Global Address Book. This protects
	Outlook users from viruses that collect e-mail addresses
	and send themselves out to those addresses."

	This document is available at:

	  http://office.microsoft.com/2000/downloaddetails/Out2ksec.htm

	C. Update Anti-Virus Packages

	System administrators and users are urged to ensure that the latest
	Anti-Virus software is installed and that it is using the most
	current up-to-date virus databases.

	More information can be found at:

	  http://www.europe.f-secure.com/v-descs/onthefly.shtml
	  http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=VBS_KALAMAR.A
	  http://www.sophos.com/virusinfo/analyses/vbsssta.html
	  http://www.symantec.com/avcenter/venc/data/vbs.sst@mm.html

	AusCERT is continuing to monitor this problem. 


- ---------------------------------------------------------------------------
For more information contact your Anti-Virus software vendor.
- ---------------------------------------------------------------------------

[AusCERT issues an alert when the risk posed by a vulnerability that may
not have been thoroughly investigated and for which a work-around or fix
may not yet have been developed requires notification.]

The AusCERT team has made every effort to ensure that the information
contained in this document is accurate at the time of publication. However,
the decision to use the information described is the responsibility of
each user or organisation.  The appropriateness of this document for an
organisation or individual system should be considered before application
in conjunction with local policies and procedures.  AusCERT takes no
responsibility for the consequences of applying the contents of this
document.

If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).

AusCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au/pub/.  This archive contains past SERT
and AusCERT Advisories, and other computer security information.

AusCERT maintains a World Wide Web service which is found on:
http://www.auscert.org.au/.

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business
		hours which are GMT+10:00 (AEST).  On call
		after hours for emergencies.
						       
Postal:
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld  4072
AUSTRALIA
===========================================================================

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key

iQCVAwUBOolp/Sh9+71yA2DNAQHwUwP/b2CwJgvevF2NMCamgLtUsNm38EBlUnkG
2dLw0xQIfb0RJuR4AMERdD7I0qNaPQRDCNKrESabqBDYljj/c3ss/5gD/eFr3DC3
OTso/m1JI+EbsCVPZqSilMrOLGRetRg73WH92IaCsvkXiOMI+mL76S2QWqaWo7lJ
3BZy466/e6U=
=Sbwn
-----END PGP SIGNATURE-----