Kvbswg

Kvbswg (Kalamar's VBS Worm Generator) is a worm generator created by Argentine virus code Kalamar. While it was mostly known for churning out broken intended code it managed to produce a few noteworthy variants.

Kournikova AKA Onthefly

Kournikova was probably the most famous worm produced with the generator. Its creator, Jan de Wit, a 20 year-old student and computer shop employee, was arrested in Sneek, Netherlands after turning himself in. He was sentenced to 150 days of community service. The Mayor of Sneek offered him an IT Job.

OnTheFly comes in an email attachment with the subject line "Here you have, ;o)" and body text "Hi: [new line] Check This!". The attachment is a 2,853 byte-long .vbs file named AnnaKournikova.jpg.vbs, encouraging the recepient to open it with the promise of a picture of the tennis star.

When executed, the virus creates a Current User registry key, \Software\OnTheFly\mailed. The worm will check the value set to the registry key for the number "1" which signifies the mailing routine has been performed. If not, the worm mails itself to every email address in the Outlook Address Book and then adds the "1".

After performing the mailing routine, the worm continues to run. If the date is January 26, OnTheFly tries to open a web page from the Netherlands (http://www.dynabyte.nl).

Effects

As OnTheFly has no deliberately malicious payload, its ability to cause damage is mostly limited to taking up space in mailboxes and consuming system resources. Millions of computers were supposedly infected with the worm, but the FBI only turned up 55 that claimed any losses. The largest figure for the damage toll of the worm is $166,827.

Homepage

Homepage arrives in an email message with a subject line of "Homepage". The message body says "Hi! You've got to see this page! It's really cool ;O)". When the attachment is executed, it decrypts and copies itself to a temporary folder. It checks the MS Outlook address book for email addresses and sends a copy of its email to them with a copy of itself.

When it is finished, it creates the registry key HKCU\software\An\mailed and adds the value of 1 to it. When the worm is run a second time, it will not mail itself and will delete all messages in the inbox with "Homepage" as a subject line. It also displays one of the following pages:

  • http://hardcore.pornbillboard.net/shannon/1.htm
  • http://members.nbci.com/_XMCM/prinzje/1.htm
  • http://www2.sexcropolis.com/amateur/sheila/1.htm
  • http://sheila.issexy.tv/1.htm

Mawanella

Mawanella contains a protest message about the massacre of a Muslim village (after which it is named) in Sri Lanka. It became relatively popular all over the world, particularly in Australia and Europe.

Sources

Jan de Wit's personal statement

McAfee Antivirus, VBS/VBSWG.gen@MM

Eric Chien. Symantec, VBS.SST@mm

John Leyden. The Register, "Anna Kournikova virus spreading like wildfire". 2001.09.12

-. -, "Anna Kournikova bug drops harmlessly onto the Net". 2001.09.13

Robert Blincoe. -, "Kournikova virus kiddie gets 150 hours community service" 2001.09.27

James Middleton. "Anna virus writer offered IT job" 2001.09.20

Robert Lemos, Hernan Alijo. CNET News.com, ""Anna" virus toolkit pulled from Net" 2001.02.15

CNN Archive, "Man charged over Kournikova virus". 2001.02.14

Eset Antivirus, VBS/Homepage.A.

Kaspersky Lab. Securelist.com, Email-Worm.VBS.Homepage.

Robert Lemos. CNet News, "Mawanella" worm sends political message. 2001.05.17

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License