- Please do not open any messages that has the title:
"Here you have" or
"Here you have, ;o"
and an attachment containing
It is a new type of virus!
Monday February 12 8:14 PM ET
Anna Kournikova Photo Is Computer Virus in Disguise
By Lisa Baertlein
PALO ALTO, Calif. (Reuters) - Hackers are using a promised photograph of
sexy Russian tennis star Anna Kournikova (news - web sites) to serve up a
fast-spreading computer virus.
The virus struck computers in Europe and the United States overnight. It
uses a so-called worm to spread in the same manner as last year's ``Love
Bug'' or ``Love Letter'' virus, which infected an estimated 15 million
computers and sent servers crashing around the world after unsuspecting
people opened an e-mail with ''I Love You'' on its subject line.
``It's an old virus concept but you put a pretty face and a nice pair of
legs on it and people open it,'' Steve Gottwals, director of product
marketing for F-Secure Corp, said.
Moscow-born Kournikova, 19, is the world's ninth-ranked female tennis
player and has never won a WTA title.
Her off-the-court profile, however, has captured the imaginations of many,
stroked by a provocative photo spread in the June 5 issue of Sports
Illustrated and her rocky romantic links to hockey player Sergei Fedorov,
of the Detroit Red Wings.
LOVE BUG REDUX?
The Kournikova virus -- which also is being referred to as ''VBS'',
``SST'' or ``On The Fly'' -- was first discovered in August and has been
found in more than 50 large corporations, including Fortune 500s, Network
Associates Inc. (NasdaqNM:NETA - news) said in a statement.
``This is the biggest thing since the Love Letter,'' David Perry, global
director of education for Trend Micro Inc. (NasdaqNM:TMIC - news), said.
Perry said users of his company's antivirus software have reported 50 to
100 Kournikova hits per hour, but he and other security experts do not yet
know how many computers have been affected.
The subject line on the Kournikova virus e-mail reads: ``Here you have,
;o)''. The body of the e-mail says ``Hi: Check this!''
When users of Microsoft Corp.'s (NasdaqNM:MSFT - news) Outlook e-mail
software open the attachment, which is disguised as a photo file, the
virus infects their computers and sends itself to every name in the users'
``It's not dangerous in a sense that it's data destructive,'' said Vincent
Weafer, director of the Symantec Antivirus Research Center. The Kournikova
virus and others like it are damaging because they have the potential to
clog e-mail systems and to cause servers to crash.
``They spread and burn very quickly, but die very quickly,'' Weafer said.
One San Francisco analyst, who got a half-dozen of the Kournikova e-mails
before his firm's server went down, wanted to know if people opened the
e-mail attachment without a promise of a nude photo.
When he learned that was the case, he laughed and said, ''Idiots.''
Antivirus experts said it appeared the virus had been built from a
programming tool kit created by a hacker known as ''Kalimar''.
If the virus is not completely flushed from a computer, it will
automatically connect to the Web site of a Dutch company called Dynabyte
on Jan. 26 each year, they said.
Virus watchers at Trend Micro believe that Kournikova was written by a
hacker in Holland who used the handle ``On The Fly''.
Others disagreed about the geographic origins of the virus, saying that
the link to the Dutch company was likely a way to throw law enforcement
off the hacker's scent.
- There indications--we received a few returned mails from two e-mail
systems claiming that we have sent them virii--that are e-mail addresses
are being used to send a new type of virus.
TRH never sends viruses intentionally NOR OUR COMPUTERS CAN GET INFECTED
AND SEND VIRUSES UNINTENTIONALLY: We are on a Unix computer that does not
get infected by PC viruses, and, therefore cannot pass them on to the
members of our lists. BUT a third party's computer can get infected and
use our e-mail addresses and send a virus to you.
Please take extra precaution in opening your e-mails, especially their
Please read the following for more.
As of January 26, 2004 1:47 PM (US Pacific Time), TrendMicro has declared
a yellow alert to control the spread of WORM_MYDOOM.A (previously known as
This mass-mailing worm selects from a list of email subjects, message
bodies, and attachment file names for its email messages. It spoofs the
sender name of its messages so that they appear to have been sent by
different users instead of the actual users on infected machines. (So, If
you are NOT expecting any messages from anyone, please DO NOT OPEN any
attachments to the emails that you receive.)
It can also propagate through the Kazaa peer-to-peer file-sharing network.
This worm runs on Windows 95, 98, ME, NT, 2000, and XP.
It sends email with the following details:
From: <Spoofed email address>
Subject: (any of the following)
Mail Transaction Failed
Mail Delivery System
Message Body: (any of the following)
The message contains Unicode characters and has been sent as a binary
The message cannot be represented in 7-bit ASCII encoding and has been
sent as a binary attachment.
Mail transaction failed. Partial message is available.
Attachment: (any of the following file names)
(plus any of the following extensions)
The attachment may or may not arrived zipped. When zipped, it contains the
worm executable file with the same file name and any of the described
extensions. When unzipped, it uses either extensions, PIF or EXE.
The spoofed sender address is taken from email addresses obtained from the
This worm also has capabilities to spread via Kazaa, a popular
peer-to-peer file sharing application.
It drops a copy of itself in the Kazaa shared folder with a file name
chosen from the following list:
The dropped file can have any of the following extensions: