InfoGram

February 15, 2001

NOTE: This InfoGram will be distributed weekly to provide members of the emergency services sector with news and information concerning the protection of their critical information systems. For further information please contact the U.S. Fire Administration's Critical Infrastructure Protection Information Center at (301) 447-1325 or email at usfacipc@fema.gov.

Critical Infrastructure Protection (CIP): "Viruses - Hackers"

• On February 12, 2001 the worm/virus, the VBS Virus "Anna Kournikova" also known as "VBS/SST" VBS Virus, was detected in the wild. Based upon investigations and information from other sources, the "Anna Kournikova" mass-mailing worm/virus is spreading rapidly throughout the Internet. However, it is seen as a low threat due to its non-destructive payload. Although it does not infect files on the victim's systems, this mass-mailing worm can potentially clog email servers because of the volume it generates, administrators are advised to adjust their filtering software to block attachments with the name of Anna Kournikova.jpg.vbs. Additionally, users should not open any emails or attachments with the Anna Kournikova.jpg.vbs name.
• VBS/SST Worm is a Visual Basic Script worm that spreads via email using the MAPI applications such as Microsoft Outlook and Outlook Express. The worm arrives attached to an email message that has the Subject line: "Here you have, ;o)". The message body contains the following text: "Hi: Check This!" The attachment to the email message is a Visual Basic Script file named: "Anna Kournikova.jpg.vbs". When the attached program (the worm code) is executed, it copies itself to the Windows directory. It then adds the following digital signature to the registry key: "HKCU\software\OnTheFly\Worm made using Vbswg 1.5b". The worm then proceeds to send itself out to all addresses found in the Microsoft Outlook Application.
• The Zurich, Switzerland weekly newspaper, SonntagsZeitung, reported the theft of passwords, email addresses, credit card numbers, and other personal data from attendees at the World Economic Forum. Celebrities and political leaders were included in the database that was hacked. Dustin Hoffman, Yassar Arafat, and former President Bill Clinton are among the individuals whose information was compromised. How secure is your personal information that is stored on Internet accessible databases? (http://www.antionline.com) (http://www.sonntagszeitung.ch)
• Emergency service computer users should be vigilant in their use of email systems. This reported virus was not covered by the current versions of most anti-virus software products when it was released. The anti-virus software must be kept up-to-date with upgrades from the manufacturer to be effective, but new viruses can appear that are not covered by the anti-virus applications. If you are not sure of the email that you receive delete it before it is opened.