Anna Kournikova (computer worm)

Anna Kournikova
Surname	Anna Kournikova
Aliases	Vbs.OnTheFly
Known since	2001
origin	Netherlands
Type	Email worm
Other classes	Script worm
Authors	Jan de Wit
File size	2.51 Kbytes
Memory resident	No
distribution	Email notes
system	Windows
programming language	Visual Basic Script
info	Was created with the Toolkit ; VBS Worm Generator

The computer worm Anna Kournikova made at its outbreak on 11 February 2001, many overloaded e-mail - server and system faults .

The worm is named after the then still active tennis player Anna Kurnikowa from Russia . The file was AnnaKournikova.jpg.vbslabeled as.

Anna Kournikova was written in Visual Basic Script and was sent automatically as a mail attachment . The script was written by Jan de Wit , a Dutch student at the age of twenty .

Aliases

The author of the email worm used the pseudonym OnTheFly . He himself called the worm program Vbs.OnTheFly , which stands for "Visual Basic Script by OnTheFly".

In the press and in linguistic usage, however, the name Anna Kournikova established itself on the day of the wave of infection , sometimes without spaces, AnnaKournikova . Very often the worm was and is incorrectly called the Anna Kournikova Virus .

Versions and derivatives

As a result, there were several descendants of the Anna Kournikova worm.

One of the more well-known variants promised by an alleged nude photo of singer and actress Jennifer Lopez came into circulation about four months later. However, this derivative of the Anna Kournikova worm had an integrated payload . It could also infect infected computers with the CIH virus . In Windows 9x operating systems, the virus brought with it the risk of data loss and firmware damage .

Almost at the same time as Anna Kournikova, from February 15, 2001, the T-Online worm was circulating in Germany , which is practically identical in function to Anna Kournikova. But he pretended to be a text file and baited with an alleged offer from Telekom that promised lower internet fees. However, it is not a derivative of the Anna Kournikova worm, as was sometimes claimed in the press. Most of the VB scripts differ significantly.

Layout and function

De Wit used the VBS Worm Generator toolkit to create the worm. The kit is only 38 KByte in size and has several functions for creating and revising Visual Basic worms. At that time, the tool was still freely available and available online.

The developer of the VBS Worm Generator was an eighteen year old programmer from Buenos Aires . When his tool and his pseudonym [K] Alamar were mentioned on television in connection with the Kournikova worm, he removed the program from his website. He had previously made it available for free download .

duplication

The VB script spread as an attachment via email . The subject line of such an email was in the original version of the worm:Here you have ,; 0)

The mail itself contained the text: Hi: Check This!

The file in the attachment was named: AnnaKournikova.jpg.vbs

But this can only be seen with the operating systems and customary settings used at the time AnnaKournikova.jpg. The file extensions of known files, in this case from a Visual Basic script, were mostly hidden in the browser or mail client .

Social engineering

Due to the familiarity of the JPG format, the file name signaled to the user that it was a photo of the then very famous tennis player Anna Kurnikowa. As a result, thousands of users clicked on the attachment to open the supposed image.

The Microsoft Outlook application was the means of spreading the worm. If an e-mail recipient opened the attachment and thereby started the script, the expected picture of Anna Kurnikowa did not appear. Instead, the virus sent itself to all addresses stored in the Microsoft Outlook address book. The mistrust of the recipient was therefore rather low, it was supposedly a known sender . General apply JPEG - files to be relatively harmless. So the Anna Kournikova worm primarily used the social component for its spread. The effectiveness of this simple trickery was enormous.

Users of other e-mail programs or other operating systems ( MacOS , Linux etc.) were not affected. Running the attachment in this case had no practical effect.

Protection and Distance

The Anna Kournikova worm is no longer a contemporary threat.

Anna Kournikova was very similar to the worm strain VBS / SST @ MM, which had been known since August 2000. Since it was practically not a new program, but a variant of already known worms, some of the antivirus scanners that were current at the time were able to identify the worm on the day of the wave of infection and remove it without any problems. The rapid spread of the worm shows, however, that IT protection software was by no means an established standard in 2001.
Current operating systems and Outlook versions are no longer susceptible to the worm.
Email providers automatically check file attachments for known malware and refuse to send critical attachments.
Antivirus programs received updates that same week to prevent the Anna Kournikova worm from having real-time monitoring.
The execution guidelines for VB scripts have been revised and made more secure.
A personal firewall did not protect against the effects of Anna Kournikova. Outlook had to be allowed as an exception by default in order to enable the desired functions. In addition, personal firewalls were not yet established in private use in 2001.

Situation around 2001

The period from 2000 to 2010 was the golden era of computer worms . After Loveletter in 2000, Anna Kournikova was only the second worm to receive almost worldwide media attention. In the fairway of the Kournikova worm, the T-Online worm made some headlines in Germany. In this "decade of worms", numerous other well-known and notorious malware followed, such as Sasser , Sobig.F , MyDoom , Conficker or Stuxnet . Incidents with conventional file or macro viruses, on the other hand, were hardly an issue in the mass media .

Effects of the worm

On February 11, 2001 around 3:00 p.m. de Witt first spread the worm via a newsgroup. As a result, it spread almost globally. The date fell on a Sunday. Maybe Jan de Wit wanted to take advantage of the fact that this day is used by many private individuals for surfing and e-mailing.

Anna Kournikova was similar to the Loveletter worm that appeared a year earlier in 2000, but it did not damage data on infected computer systems. Nevertheless, the worm caused millions of e-mails to be sent and thereby caused numerous problems with IT systems and e-mail servers.

Since it was a simple script worm, Anna Kournikova was able to automatically spread itself to other computers, but not independently. Only email recipients who opened the email attachment were decisive for the rapid spread. Several social components played a role here. The sender of the e-mail was mostly known, curiosity was aroused and image files were generally considered to be rather harmless. A JPEG of the then nineteen-year-old tennis star and photo model did not look suspicious. In many cases, it was not immediately noticeable that it was actually not a photo but a Visual Basic Script.

On Tuesday, February 13th, a short letter of confession was received on a Dutch website . Using his pseudonym OnTheFly, de Wit stated that he did not want to cause any harm. The worm is a warning to careless Internet users who open unknown file attachments without hesitation. De Wit wrote in his letter of responsibility that the worm would also cause server failures due to its avalanche-like spread .

On the afternoon of February 14th, Jan de Wit turned himself in to the Dutch police .

The author

Anna Kurnikowa in 2002 while training.

The worm aroused the curiosity of the recipients of the e-mails with a picture of the Russian tennis player that didn't really exist.

The then twenty-year-old Dutch student Jan de Wit was the author of the worm script. Malware was generally one of his areas of interest, and Anna Kurnikowa was a fan. According to his own information, it only took a few hours to create the worm.

De Wit published two letters of confession on the Internet on February 13th. One of the online services said the next day that they had identified OnTheFly. According to a press report, David L. Smith , the author of the 1999 Melissa virus, also helped with de Wit's removal. Before there was an arrest, de Wit turned himself in to the authorities. He reported to the police in his hometown of Sneek on February 14, 2001. In it, he admitted using a toolkit to create the virus and explained his motivation to see if the IT community had learned its lesson on how to make systems safer after previous virus infections.

In addition to his regrets, he blamed the innocence of many computer owners for the extent of the spread. He also described his peasant trick with the alleged photo as the ideal bait. In contrast to the Melissa virus and the Loveletter e-mail worm, which relied purely on the curiosity of the e-mail recipient, de Witt also used Anna Kurnikova's attractive appearance as a means of spreading his worm more effectively.

In the press he was sometimes referred to as a talented young man, but also as a script kiddie . Sieboldt Hartkamp, the mayor of Jan de Wit's hometown Sneek , was one of the people who was rather impressed. He offered de Wit a job in the IT department of the local administration a few days after the incident.

The legal consequences

De Wit was brought to trial in Leeuwarden on charges of disseminating data on a computer network in order to cause harm. This offense is considered a crime in the Netherlands and could be punished with a maximum sentence of four years in prison and a fine of 100,000 guilders (US $ 41,300). Jan de Wit's lawyers called for the charges against him to be dismissed, arguing that the worm had caused minimal damage, due to negligent misjudgment. The FBI submitted some investigation results to the Dutch court. According to the US agency, the worm caused a total of $ 166,000 in damage. De Wit denied any malicious intent.

The worm author could credibly assure the court that he did not want to cause any damage. However, it was not accepted that he had completely misjudged the consequences beforehand. Since he worked in a computer store and privately dealt intensively with malware, the theoretical effects of an e-mail worm should have been perfectly clear to him. After an appeal hearing, he was sentenced to 150 hours of community service.

Worm or virus

The Anna Kournikova worm is often incorrectly referred to as a virus in the press. A virus is a non-independent program code. Viruses spread by nestling in files or system areas. The Anna Kournikova worm does not meet this definition, however, as it does not infect files, but is an independent program. The email itself that the worm uses to spread does not count as a host file. The Anna Kournikova script sends itself as an attachment.

Anna Kournikova's frequent comparisons with the Melissa virus in 1999 are based on the avalanche-like spread by e-mail in both cases. Melissa spreads via an infected text file as an email attachment, while the Anna Kournikova worm itself was the attachment.

Trivia

The Anna Kournikova worm was addressed in an episode of the sitcom Friends (Season 9, Episode 20 - Rain in Paradis - Part One ). One of the main characters purposely infects his friend's PC with a contaminated email. In the mail, he was promised a nude photo of Anna Kurnikowa. The worm in the series also destroys all files on the hard drive .

Individual evidence

↑ ^a ^b ^c ^d ^e ^f ^g ^h ⁱ blog.to.com Blog.to.com: History of Hacks- Anna Kournikova worm
↑ Greg Sandoval, Virus dresses up as a naked Jennifer Lopez. June 1, 2001 news.zdnet.co.uk ( Memento of March 10, 2005 in the Internet Archive ).
↑ Caution: T-Online worm is spreading rapidly from pcwelt.de .
↑ Details on the VBS Worm Generator V.2 by Hans-Christian Dirscherl , March 2001 pcwelt.de
↑ Markus Pilzweger: Beware, new worm in circulation! February 13, 2001 pcwelt.de .
↑ Anna Kournikova should only be a warning. In: Handelsblatt . February 14, 2001 ( [1] ).
↑ Court documents reveal that Melissa's author helped authorities catch other virus writers. May 10, 2009 sophos.com .
↑ The alleged originator of the Kournikova virus arises. In: Computerwoche. computerwoche.de .
↑ Worm instead of warning heise.de .
↑ Rober Blincoe: Kournikova virus Kiddie gets 150 hours community service. September 27, 2001 theregister.com .
↑ Condemned author of Kournikova worm. September 28, 2001 tecchannel.de .
^ John Mariotti: The Chinese Conspiracy. iUniverse Inc. 2010, ISBN 978-1-4502-5790-9 .
^ John Leyden: Anna Kournikova Virus Author stands trial. September 14, 2001 theregister.com .
↑ Joris Evers: Kournikova Virus Writer Found Guilty. September 27, 2001 pcworld.com ( Memento from January 31, 2013 in the web archive archive.today )
↑ What is a computer virus - it differs from the giga.de worm .

↑ Computer viruses and computer worms. kaspersky.de .

Web links

Heise.de: Internet worm disguises itself as a tennis starlet by Volker Zota , February 13, 2001

Heise.de: Alleged fan claims to have written the Kournikova worm by Florian Rötzer , February 14, 2001

Heise.de: Author of AnnaKournikova introduces himself by Jo Bager , February 14, 2001

Heise.de: The author of AnnaKournikova regrets of Jo Bager , 14 February 2001

Heise.de: The author of the Kournikova worm has to be tried by Wolfgang Stieler on June 21, 2001

Heise.de: Social punishment for Kournikova virus requested by Wolfgang Stieler , September 14, 2001

PC-Welt.de: Virus building made easy by Hans-Christian Dirscherl , February 22, 2001

PC-Welt.de: Further e-mail attacks - I Love You by Woody Leonhard , May 25, 2011

Computerwoche.de: The author of the Kournikova worm appeals to (ka) , May 6, 2002

ChannelPartner.de: Anna Kournikova lures you with lots of emails from (rw) , February 13, 2001

ITReseller.ch: Kournikova virus spreads very quickly from (iw) , February 13, 2001

[history-1] ↑ ^a ^b ^c ^d ^e ^f ^g ^h ⁱ blog.to.com Blog.to.com: History of Hacks- Anna Kournikova worm

[2] Greg Sandoval, Virus dresses up as a naked Jennifer Lopez. June 1, 2001 news.zdnet.co.uk ( Memento of March 10, 2005 in the Internet Archive ).

[3] Caution: T-Online worm is spreading rapidly from pcwelt.de .

[4] Details on the VBS Worm Generator V.2 by Hans-Christian Dirscherl , March 2001 pcwelt.de

[5] Markus Pilzweger: Beware, new worm in circulation! February 13, 2001 pcwelt.de .

[6] Anna Kournikova should only be a warning. In: Handelsblatt . February 14, 2001 ( [1] ).

[7] Court documents reveal that Melissa's author helped authorities catch other virus writers. May 10, 2009 sophos.com .

[8] The alleged originator of the Kournikova virus arises. In: Computerwoche. computerwoche.de .

[9] Worm instead of warning heise.de .

[10] Rober Blincoe: Kournikova virus Kiddie gets 150 hours community service. September 27, 2001 theregister.com .

[11] Condemned author of Kournikova worm. September 28, 2001 tecchannel.de .

[12] John Mariotti: The Chinese Conspiracy. iUniverse Inc. 2010, ISBN 978-1-4502-5790-9 .

[13] John Leyden: Anna Kournikova Virus Author stands trial. September 14, 2001 theregister.com .

[14] Joris Evers: Kournikova Virus Writer Found Guilty. September 27, 2001 pcworld.com ( Memento from January 31, 2013 in the web archive archive.today )

[15] What is a computer virus - it differs from the giga.de worm .

[16] Computer viruses and computer worms. kaspersky.de .