An Argentinian hacker known as [K]Alamar has enhanced and released the updated beta version of his VBS (Visual Basic Script) Worm Generator, allegedly used last month by a Dutch hacker who goes by the moniker OnTheFly to create the worm named after the tennis star.
The enhancement was detected over the last several days by security software vendors, whose labs set about analysing the changes. At Computer Associates International, lab workers quickly determined that the worm generator kit "has some new functionality that will make the threats a bit more destructive," said Ian Hameroff, business manager for security solutions.
Additional analysis found that "it isn't much more destructive than the previous kit," but allows for the ability to include an .exe file when the VBS is launched and that "could cause all kinds of damage," Hameroff said. Users won't see the .exe because the worm will appear as a VBS file. So, while the payload isn't all that different, the ability for the worm to run an executable file on a user's computer could potentially wreak havoc. Those executables could run the gamut of "anything with a malicious intent," from exploits known as trojans to backdoor security breaches, Hameroff said.
.exe's have the potential to ruin a PC if they are launched, and so the enhanced worm generator is viewed as having the ability to create tremendous problems. According to information provided through his Web site by [K]Alamar, also known as "K," worms created with the new kit can be easily created and all could potentially have unique code, making them more difficult to detect.
A help file from [K]Alamar says that as of last Friday, the creator was using various antivirus software to try to detect worms created with the generator and none worked. However, he expects that to change soon and so sent out a request that fellow virus writers let him know as anti-virus software becomes an effective hedge against infection.
Finjan Software describes the new generator version as a "very impressive tool." The security team reviewed it and "is very impressed with its simplicity and ease of use," according to e-mail from a firm that handles public relations for Finjan.
The beta has corrected a lot of bugs from the earlier version and worms created now can be spread using e-mail, IRC (Internet Relay Chat) and files. The Anna Kournikova was spread via e-mail.
The original Anna Kournikova masqueraded as a .JPG image of the Russian tennis star -- whose photographs are highly prized among certain of her fans. The worm arrived with one of three variants of the subject line "Here you go :-)" and with one of three variants as the name of the attachment, based around "Anna.Kournikova.jpg.vbs." The e-mail swept the globe in short order.
Security vendors expect new worms created with the generator to begin spreading soon, though CA's Hameroff said that the lab team there will be able to "quickly analyse and produce detection" for them.
Users are advised to routinely update anti-virus software and to not open e-mail from unknown sources, no matter how enticing the subject line.
[K]Alamar himself notes at his site -- misspellings intact -- that "the transmission or possession of destructive programs may be illegal in your country be carefull with what you do. All files in this site are for educational purpose only. Neither my server or I are resonsable of waht you do whit the files."
(Joris Evers in Amsterdam contributed to this report.)