VBS/OnTheFly (Anna Kournikova) Malicious Code
Last revised: February 13, 2001
A complete revision history can be found at the end of this file.
The "VBS/OnTheFly" malicious code is a VBScript program that spreads via email. As of 7:00 pm EST(GMT-5) Feb 12, 2001, the CERT Coordination Center had received reports from more than 100 individual sites. Several of these sites have reported suffering network degradation as a result of mail traffic generated by the "VBS/OnTheFly" malicious code.
This malicious code can infect a system if the enclosed email attachment is run. Once the malicious code has executed on a system, it will take the actions described in the Impact section.
When the malicious code executes, it attempts to send copies of itself, using Microsoft Outlook, to all entries in each of the address books. The sent mail has the following characteristics:
- SUBJECT: "
Here you have, ;o)"
Hi: Check This!
Users who receive copies of the malicious code via electronic mail will probably recognize the sender. We encourage users to avoid executing code, including VBScripts, received through electronic mail, regardless of the sender's name, without prior knowledge of the origin of the code or a valid digital signature.
It is possible for the recipients to be be tricked into opening this malicious attachment since file will appear without the .VBS extension if "Hide file extensions for known file types" is turned on in Windows.
When the attached VBS file is executed, the malicious code attempts to modify the registry by creating the following key:
- HKEY_CURRENT_USER\Software\OnTheFly="Worm made with Vbswg 1.50b"
Beyond this effect, there does not appear to be a destructive payload associated with this malicious code. However, historical data has shown that the intruder community can quickly modify the code for more destructive behavior.
Update Your Anti-Virus Product
It is important for users to update their anti-virus software. Some anti-virus software vendors have released updated information, tools, or virus databases to help combat this malicious code. A list of vendor-specific anti-virus information can be found in Appendix A.
Apply the Microsoft Outlook E-mail Security UpdateTo protect against this malicious code, and others like it, users of Outlook 98 and 2000 may want to install the Outlook E-mail Security update included in an Outlook SR-1. More information about this update is available at
You may also find the following document on Outlook security useful
The Outlook E-mail security update provides features that can prevent attachments containing executable content from being displayed to users. Other types of attachments can be configured so that they must be saved to disk before they can be opened (or executed). These features may greatly reduce the chances that a user will incorrectly execute a malicious attachment.
Filter the Virus in Email
Sites can use email filtering techniques to delete messages containing subject lines known to contain the malicious code, or can filter attachments outright.
Exercise Caution When Opening Attachments
Exercise caution when receiving email with attachments. Users should disable auto-opening or previewing of email attachments in their mail programs. Users should never open attachments from an untrusted origin, or that appear suspicious in any way. Finally, cryptographic checksums should also be used to validate the integrity of the file.
IV. General protection from email Trojan horses and virusesSome previous examples of malicious files known to have propagated through electronic mail include:
Melissa macro virus - discussed in CA-99-04 http://www.cert.org/advisories/CA-1999-04.htmlIn each of the above cases, the effects of the malicious file are activated only when the file in question is executed. Social engineering is typically employed to trick a recipient into executing the malicious file. Some of the social engineering techniques we have seen used include
False upgrade to Internet Explorer - discussed in CA-99-02 http://www.cert.org/advisories/CA-1999-02.html
Happy99.exe Trojan Horse - discussed in IN-99-02 http://www.cert.org/incident_notes/IN-99-02.html
CIH/Chernobyl virus - discussed in IN-99-03 http://www.cert.org/incident_notes/IN-99-03.htm
- Making false claims that a file attachment contains a software patch or update
- Implying or using entertaining content to entice a user into executing a malicious file
- Using email delivery techniques that cause the message to appear to have come from a familiar or trusted source
- Packaging malicious files in deceptively familiar ways (e.g., use of familiar but deceptive program icons or file names)
Tech tip: Protecting yourself from Email-borne Viruses and Other Malicious Code During Y2K and Beyond
Aladdin Knowledge Systems
Command Software Systems, Inc.
Finjan Software, Ltd.
Dr. Solomon, NAI
This document was written by Cory Cohen, Roman Danyliw, Ian Finlay, John Shaffer, Shawn Hernan, Kevin Houle, Brian B. King, and Shawn Van Ittersum.
Copyright 2001 Carnegie Mellon University.
February 12, 2001: Initial release February 13, 2001: Corrected registry key in Impact section