How to Trick the Anna Worm

The spread of the Kournikova virus has slowed dramatically, but there's still a good chance the persistent little worm--or another Visual Basic Scripts-based pest like it--could land in your inbox. To protect yourself, you should update your antivirus software and then either change how your PC handles these files, or just delete them on sight.

Whenever you double-click on a Windows file, an action associated with the file's format occurs. The default action for double clicking on a Visual Basic Scripts file--for example, the Kournikova virus--is to execute the script contained in the file.

The Kournikova worm generally shows up as an e-mail message with an attachment purporting to be an image. When you click on the attachment, the program launches and first checks the date of your PC to see if it is January 26, says Steve Trilling, director of research at the Symantec AntiVirus Research Center. On that date, the program tries to launch your Web browser to visit a Web site in the Netherlands called Dynabyte.NL.

Since that date won't come around for another year, the virus moves on to your Microsoft Outlook Express address book. From there it sends out copies of itself to all of your contacts, Trilling said. It also places a line in your Windows registry so if you receive the virus again it will know not to resend itself from your PC.

In addition to that all-important antivirus update, you can easily outsmart a VBS-based virus by changing your computer's default action for VBS files.

Of course, you could change your Windows configuration so you can't run any VBS files, thereby eliminating all possibility of this type of infection. However, there's a relatively easy fix that will still permit a Web page or other application to run a VBS file when such a function is actually needed, but will block the double-click action. The fix is to change the default action to Edit, which causes the file to open in Notepad rather than to execute the script.

Here's how: In Windows Explorer, open Folder Options under the View menu (moved to Tools in Windows Me and 2000). Select the File Types tab and scroll to VBScript Script File. Click on the Edit button (Advanced in Windows Me and 2000). Another window will open showing the possible file actions, with the default action indicated in bold-face type. The default action is likely Open. Highlight instead the word Edit and click on the Set Default button. Edit should now appear in bold face.

Correction: A previous version of this story said to scroll to the VBScript Encoded file. Use the VBScript Script file instead. --Editors

In some older systems the Edit function may not appear. In such instances, click the New button and enter Edit in the action field and Notepad.exe in the application field. Once Edit appears, make it the default action as shown above.

While in the file-type screen, also make sure the boxes for always show extension and enable quick view are also checked. Click OK to close the open windows.

Windows usually has several sample VBS files on the system in a folder named "sample." Find one of these files and double click on it. If the action causes Notepad to open and display the content of the file, you've done the fix correctly and you're now safe from an accidental VBS e-mail infection.

Or, you can download a utility that runs through the same process automatically. Coder David Jung developed the tool to change both the VBSFIle and JSFile defaults from Open to Edit, and add the "AlwaysShowExt" Registry key entry so you can see file extentions in Windows Explorer. It works with Windows 9x, Me, NT, and 2000.

Even if you escaped the Kournikova virus this time around, there's a very good chance a similar virus will find its way to your desktop in the near future, says Symantec's Trilling. That's because the virus was likely created using a simple-to-use virus-writing kit.

Members of the antivirus community suspect the virus kit in question comes from a virus writer in Argentina who calls himself Kalamar, he says. A virus writer in the Netherlands who calls himself OnTheFly has issued an e-mail claiming responsibility for the virus, but officials have yet to confirm his confession.

Regardless, more people will undoubtedly use such kits to mutate the current virus and to create others, he says. Symantec has already seen several variants of the current virus, but antivirus software should detect them.

If changing the default action for VBS files and updating your antivirus software don't make you feel safe, you can simply delete any and every e-mail you receive carrying the VBS extension. Trilling says most people don't exchange VBS files on a regular basis, so unless you're expecting one, deleting it is unlikely to cause problems.

(For more information about viruses, see PCWorld.com's "Viruses 2000: A Special Report.")