TUCoPS :: Malware :: al200101.txt

AusCERT Alert 2001.01 AnnaKournikova.jpg.vbs (Onthefly) Worm


A  U  S  C  E  R  T                                           A  L  E  R  T
                        AL-2001.01  --  AUSCERT ALERT
                   AnnaKournikova.jpg.vbs (Onthefly) Worm
                              13 February 2001



	AusCERT has received information about a new virus known as the
	Onthefly worm. This worm has been reported from several sources
	within a very short period of time, indicating that it may be
	propagating rapidly.

	The worm is received via email in the form of an attachment named
	"AnnaKournikova.jpg.vbs". The email message has the subject line:
		Here you have, ;o)

	The body of the email will contain the message:

		Check This!

	Executing the worm by attempting to open the attachment will cause
	this VBS file to be copied (as AnnaKournikova.jpg.vbs) to the
	Windows directory and then resent, as an email attachment, to all
	recipients in all address books, updating the system registry as
	it does so to ensure this action is only taken once. The worm will
	also attempt to open the web browser and connect to a web site in
	the Netherlands on January 26, but this action appears to be


	The worm is non-destructive at this stage, it appears to be
	designed for propagation only. Minor alterations are made to the
	Windows registry for worm version information and for the addition
	of a flag to prevent a repeat of the mailout.


	A. User Education

	System Administrators are urged to inform their users about proper
	precautions with regards to handling email attachments.

	AusCERT recommends that sites should update and check their virus
	defences and either delete or do not open any email messages or
	attachments that resemble those described above or in the following

	B. E-Mail Security Update

	System administrators and users employing Microsoft Outlook 98/2000
	may wish to install the Outlook Security Update available from 


	The White Paper "Outlook 98/2000 E-Mail Security Update"

	"Many damaging viruses, such as the ILOVEYOU virus, spread
	by automatically e-mailing themselves to multiple recipients
	in a user's Global Address Book. The only way to prevent
	viruses from automatically propagating is to block programmatic
	access to the features in Outlook that viruses use to spread
	themselves. The security update blocks programmatic access
	to the Send capabilities and to all e-mail address information
	stored in Outlook, including the Contacts folder, Personal
	Address Book, address fields in Outlook forms such as the
	To: field, and the Global Address Book. This protects
	Outlook users from viruses that collect e-mail addresses
	and send themselves out to those addresses."

	This document is available at:


	C. Update Anti-Virus Packages

	System administrators and users are urged to ensure that the latest
	Anti-Virus software is installed and that it is using the most
	current up-to-date virus databases.

	More information can be found at:


	AusCERT is continuing to monitor this problem. 

- ---------------------------------------------------------------------------
For more information contact your Anti-Virus software vendor.
- ---------------------------------------------------------------------------

[AusCERT issues an alert when the risk posed by a vulnerability that may
not have been thoroughly investigated and for which a work-around or fix
may not yet have been developed requires notification.]

The AusCERT team has made every effort to ensure that the information
contained in this document is accurate at the time of publication. However,
the decision to use the information described is the responsibility of
each user or organisation.  The appropriateness of this document for an
organisation or individual system should be considered before application
in conjunction with local policies and procedures.  AusCERT takes no
responsibility for the consequences of applying the contents of this

If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security

AusCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au/pub/.  This archive contains past SERT
and AusCERT Advisories, and other computer security information.

AusCERT maintains a World Wide Web service which is found on:

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business
		hours which are GMT+10:00 (AEST).  On call
		after hours for emergencies.
Australian Computer Emergency Response Team
The University of Queensland
Qld  4072

Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2023 AOH