Infogram

February 15, 2001

NOTE: This INFOGRAM will be distributed weekly to provide members of the emergency services sector with news and information concerning the protection of their critical information systems. For further information please contact the U.S. Fire Administration's Critical Infrastructure Protection Information Center at (301) 447-1325 or e-mail at usfacipc@fema.gov.

Critical Infrastructure Protection (CIP): "Viruses - Hackers"

On February 12, 2001 the worm/virus, the VBS Virus "Anna Kournikova" also known as "VBS/SST" VBS Virus, was detected in the wild. Based upon investigations and information from other sources, the "Anna Kournikova" mass-mailing worm/virus is spreading rapidly throughout the Internet. However, it is seen as a low threat due to its non-destructive payload. Although it does not infect files on the victim's systems, this mass-mailing worm can potentially clog e-mail servers because of the volume it generates, administrators are advised to adjust their filtering software to block attachments with the name of Anna Kournikova.jpg.vbs. Additionally, users should not open any e-mails or attachments with the Anna Kournikova.jpg.vbs name.
VBS/SST Worm is a Visual Basic Script worm that spreads via e-mail using the MAPI applications such as Microsoft Outlook and Outlook Express. The worm arrives attached to an e-mail message that has the Subject line: "Here you have, ;o)". The message body contains the following text: "Hi: Check This!" The attachment to the e-mail message is a Visual Basic Script file named: "Anna Kournikova.jpg.vbs". When the attached program (the worm code) is executed, it copies itself to the Windows directory. It then adds the following digital signature to the registry key: "HKCU\software\OnTheFly\Worm made using Vbswg 1.5b". The worm then proceeds to send itself out to all addresses found in the Microsoft Outlook Application.
The Zurich, Switzerland weekly newspaper, SonntagsZeitung, reported the theft of passwords, e-mail addresses, credit card numbers, and other personal data from attendees at the World Economic Forum. Celebrities and political leaders were included in the database that was hacked. Dustin Hoffman, Yassar Arafat, and former President Bill Clinton are among the individuals whose information was compromised. How secure is your personal information that is stored on Internet accessible databases? (http://www.antionline.com) (http://www.sonntagszeitung.ch)
Emergency service computer users should be vigilant in their use of e-mail systems. This reported virus was not covered by the current versions of most anti-virus software products when it was released. The anti-virus software must be kept up-to-date with upgrades from the manufacturer to be effective, but new viruses can appear that are not covered by the anti-virus applications. If you are not sure of the e-mail that you receive delete it before it is opened.

FAIR USE NOTICE

This INFOGRAM may contain copyrighted material that was not specifically authorized by the copyright owner. EMR-ISAC personnel believe this constitutes "fair use" of copyrighted material as provided for in section 107 of the U.S. Copyright Law. If you wish to use copyrighted material contained within this document for your own purposes that go beyond "fair use," you must obtain permission from the copyright owner.

Reporting Notice

DHS and the FBI encourage recipients of this document to report information concerning suspicious or criminal activity to DHS and/or the FBI. The DHS National Operation Center (NOC) can be reached by telephone at 202-282-9685 or by e-mail at NOC.Fusion@dhs.gov.

The FBI regional phone numbers can be found online at www.fbi.gov/contact/fo/fo.htm

For information affecting the private sector and critical infrastructure, contact the National Infrastructure Coordinating Center (NICC), a sub-element of the NOC. The NICC can be reached by telephone at 202-282-9201 or by e-mail at NICC@dhs.gov.

When available, each report submitted should include the date, time, location, type of activity, number of people and type of equipment used for the activity, the name of the submitting company or organization, and a designated point of contact.

Weekly INFOGRAM's are now available as an RSS Feed. More Information »