Malware Anatomy: The Anna Kournikova Worm

I don’t advocate the use of viruses, worms, Trojan horses, ransomware, or anything else that can screw up someone’s system or violate their privacy.

It’s oddly satisfying to peak inside them though. Like disassembling a clock.

Kournikova was my first pick because she’s written in Visual Basic, which isn’t too painful to read. She’s also so old it’s unlikely anyone would be able to use this walk-through to create something malicious. Old in malware years anyway. In human years, she’ll be seventeen next month.

Some Context

It was February 11, 2001.

Former Texas governor, George W. Bush, had just been sworn in as President of the United States. The Census Bureau reported that right around that time a little more than half of American households had computers. A cool new website called Wikipedia had been launched a little less than a month before. Cameras were yet not standard on cell phones, but South Korea and Japan were working on it.

“It Wasn’t Me” by Shaggy was at the top of the Billboard Hot 100 chart. To this day, I have no idea why. There was nothing good playing at the movies because Zoolander didn’t come out until September of that year. Third Rock from the Sun was in its last season. Jon Stewart was still hosting The Daily Show.

The Hotmail Hackers, who pointed out any Hotmail account could be accessed with the password ‘eh’, might still have been fresh in memory. The ILOVEYOU worm, released in 2000, was definitely still rattling around people’s heads.

That’s when a 20-year old Dutchman, known as OnTheFly, downloaded a point-and-click virus creation kit to generate a worm that disguises itself as a .jpeg named “Anna Kournikova.” Yup, you read that right—this punk didn’t even take the time to write the code himself. He used the digital equivalent of an Easy-Bake Oven.

Which is actually good for us because if you want to dissect a virus, you might as well start off with the easiest one available. But moving on.

Kournikova was released. The email attachment, actually a Visual Basic script, clawed its way through the host account’s Outlook contacts and mailed copies of itself to everyone they knew. So it spread.

Why? Tough to say. Could be because people just assumed any attachment sent from someone in their contacts would be trustworthy. Could be because Anna Kournikova looks like a Russian supermodel. I’ve Googled the hell out of that virus and still haven’t managed to find her thoughts on the whole debacle.

Reviews were mixed. On February 13th, the BBC posted an article that called Anna Kournikova a “so-so tennis player” but a “world-beating computer virus.” The next day, on the other side of the ocean, the New York Post reported that the virus, like Kournikova, was “long on hype, short on the ability to get the job done.”

Suffice it to say, reporters can be rude motherfu****s.

Back to the point, OnTheFly was arrested on February 14th and eventually sentenced to 150 hours of community service. His real name is Jan De Wit, and he maintained he didn’t really know what he was doing.

The world moved on. Anti-viruses adjusted. The real Kournikova went on to marry Enrique Iglesias.

I’ve poked around but had no success in figuring out what De Wit’s been doing since then.

So what does Anna Kournikova look like?

It can be broken into two parts. The first allows it to set up shop in the host computer. It waits there politely not deleting or changing files until January 26th. Then it tries to connect to the internet to access http://www.dynabytle.nl.

The second part is a function called DoMail(). It runs once when the virus is initially downloaded. DoMail() slips into Outlook, grabs the host’s address list, and attaches a copy of Anna to an email for each person in it.

Just for reference, there’s actually already a lovely break down of the virus on the Michigan State University’s website. Looks like it was part of a final term paper project for a class. I hope whoever wrote it got an A because it looks pretty damn good to me.

However, it’s still assumes a basic understanding of some things that were unfamiliar to me. So, I’m starting off with a more basic questions:

What is the WScript.Shell?

It’s in the first few lines and looks a bit intimidating. Basically, it sets up something called a Shell Object. You don’t need to know much about them—just note that you need a Shell Object to mess around with the Windows Registry.

What’s the Windows Registry?

Yeah, I’d never heard of it before.

This article from Lifewire defines it as “a collection of databases of configuration settings in Microsoft Windows operating system.” From what I’ve been able to gather, it basically holds a bunch of instructions to help the computer do things.

How do you get into your registry? Type “regedit” into your Start Menu. It looks like this.

Everything I’ve read thus far about the Registry indicates you should be really careful before changing anything in it. Or back it up before tweaking.

So what exactly does the Regwrite line do?

To get a better idea of how this works, I cut out the scary pieces of the virus and ran it on my system.

Warning: Do not, I repeat, do not copy the code over into a file on your desktop and run it without double/triple/quadruple checking that all the bad bits have been removed. This is a public service announcement from the moron who just did exactly that and had to restore their system. Also, just a heads up, if you do try to run a gutted version of Kournikova, any decent anti-virus will attack the shit out of it. The first couple of times it warned me that I’d been running malware, then it just straight up started deleting the VBS file because people really shouldn’t be trusted to make these decisions.

Point is, if you want to test out shady things on your home computer, be prepared for things to get weird.

For my experiment, I eventually removed everything except the parts that deal specifically with the registry. This is what I was left with:

'Vbs.OnTheFly Created By OnTheFly

On Error Resume Next

Set WScriptShell = CreateObject("WScript.Shell")
WScriptShell.regwrite "HKCU\Software\OnTheFly\", "Worm made with Vbswg 1.50b"

WScriptShell.regwrite "HKCU\software\OnTheFly\mailed", "1"

I saved that into a text document on my Desktop and changed the extension to .VBS. You’ll know you’ve done it right because the icon will look like an old piece of parchment.

I double clicked it and saw there was a brand new folder under the HKEY_CURRENT_USER->Software->OnTheFly.

And the “mailed” line has the number 1 stashed.

This is a very long and roundabout way of telling you that regwrite writes lines to the registry.

Why do I need to write to the registry?

Because you’re not a total prick—you don’t want to blast the emails again if the virus has already run once. Here’s an interesting problem though, how does Anna know if she’s already done her business on a specific machine?

She stashes a variable somewhere to have her check against next time. The registry is a nice spot because who the hell is going to be looking through their registry?

That’s why the DoMail() function is embedded in an If statement. If the registry indicates “mailed” is not equal to one, then Anna knows to run the the DoMail() function. The DoMail() function sets “mailed” to one at the end, so Anna won’t do it again.

Alright that’s the meat of Part One.

Let’s move on to Part Two where we infect everyone you know.

The DoMail() Function

This is the part you really don’t want to accidentally run. It starts off by making Anna Kournikova ignore errors.

On Error Resume Next

Because if you’re going to be wreaking havoc, you probably don’t care about errors along the way. The next part is just set up—going into Outlook, getting a MAPI session, and finding your address book.

Onward. The For Loop within an If Statement within a For Loop. Translated into plain English, this block basically says for every email address in the address book, if the number of addresses does not equal zero,  count the number of addresses, and loop from one to the total.

Inside that loop, Oulook.CreateItem(0) makes a Mail Item. From there, properties like To, Subject, and Body can be set. And the attachment with the copy of Anna Kournikova can be attached.

The last step closes up by writing the number one to the mailed line in the registry so that Anna won’t run again.

Stay tuned. Next week, I’ll be going through the lines that require a FileSystemObject.