How to Trick the Anna Worm
The spread of the Kournikova virus
Whenever you double-click on a Windows file, an action associated with the file's format occurs. The default action for double clicking on a Visual Basic Scripts file--for example, the Kournikova virus--is to execute the script contained in the file.
The Kournikova worm generally shows up as an e-mail message with an
attachment purporting to be an image. When you click on the attachment, the
program launches and first checks the date of your PC to see if it is January
26, says Steve Trilling, director of research at the
Since that date won't come around for another year, the virus moves on to your Microsoft Outlook Express address book. From there it sends out copies of itself to all of your contacts, Trilling said. It also places a line in your Windows registry so if you receive the virus again it will know not to resend itself from your PC.
In addition to that all-important antivirus update, you can easily outsmart a VBS-based virus by changing your computer's default action for VBS files.
Of course, you could change your Windows configuration so you can't run any VBS files, thereby eliminating all possibility of this type of infection. However, there's a relatively easy fix that will still permit a Web page or other application to run a VBS file when such a function is actually needed, but will block the double-click action. The fix is to change the default action to Edit, which causes the file to open in Notepad rather than to execute the script.
Here's how: In Windows Explorer, open
In some older systems the Edit function may not appear. In such
instances, click the
While in the file-type screen, also make sure the boxes for
Windows usually has several sample VBS files on the system in a folder named "sample." Find one of these files and double click on it. If the action causes Notepad to open and display the content of the file, you've done the fix correctly and you're now safe from an accidental VBS e-mail infection.
Or, you can
Even if you escaped the Kournikova virus this time around, there's a very good chance a similar virus will find its way to your desktop in the near future, says Symantec's Trilling. That's because the virus was likely created using a simple-to-use virus-writing kit.
Members of the antivirus community suspect the virus kit in question comes from a virus writer in Argentina who calls himself Kalamar, he says. A virus writer in the Netherlands who calls himself OnTheFly has issued an e-mail claiming responsibility for the virus, but officials have yet to confirm his confession.
Regardless, more people will undoubtedly use such kits to mutate the current virus and to create others, he says. Symantec has already seen several variants of the current virus, but antivirus software should detect them.
If changing the default action for VBS files and updating your antivirus software don't make you feel safe, you can simply delete any and every e-mail you receive carrying the VBS extension. Trilling says most people don't exchange VBS files on a regular basis, so unless you're expecting one, deleting it is unlikely to cause problems.
(For more information about viruses, see PCWorld.com's "