March 2001


Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Steve Cavrak <[log in to unmask]>
Reply To:
Departmental Technology Coordinators <[log in to unmask]>
Thu, 15 Mar 2001 15:24:48 -0500
TEXT/PLAIN (114 lines)
Virus Kit Gets Deadlier
March 15, 2001

The grandfather of the Anna Kournikova virus has released a new version
of his point-and-click computer worm construction kit, easy enough that
anyone can create a virus and sic it on the world.

But the virus kit creator, who goes by the screen name [K] and claims to
be an 18-year-old student in Buenos Aires, Argentina, said his conscience
is clear.

"I just give people a tool. What people do with that tool is their
fault," he said in an interview conducted through the ICQ online chat

[K]'s kit constructs a variety of virus called a worm, a stand-alone
program that duplicates itself and spreads, often attached to e-mail
messages. Last year's "Love Bug" and 1999's "Melissa" virus were both

An earlier version of [K]'s kit was allegedly used by a 20-year-old
Dutchman calling himself "OnTheFly" to create the Kournikova worm. The
virus, named for the Russian tennis star, backed up e-mail systems
worldwide in December 2000. OnTheFly said after the incident that he
doesn't know how to program computers.

[K]'s new kit is easy enough for anyone to use  you can actually create
a worm in one click. With a few easy steps, you can imprint your name on
the worm and cause it to shut down an infected user's computer or
reproduce itself through e-mail.

The new version adds several dangerous features, including more advanced
encryption to dodge antivirus programs and an "antideletion" function
that makes worms especially tricky to remove, said Dave Kroll, president
of antivirus company Finjan. The new features send [K]'s worms "right
through" much antivirus software, Kroll said.

And [K]'s kit, while the most notorious and one of the most advanced, is
only one of dozens of point-and-click virus kits available on the Web,
said Paul Zimski, a security researcher with Finjan.

[K] said his worms' "ability to go around the globe in just a few hours,"
proven by the Kournikova virus, is more dangerous than any new technical

Curiosity Created the [K]

Curiosity, not a desire for fame, is behind [K]'s virus-writing
activities, he said.

"I don't like to be famous ... I like programming ... and virii do lots
of stuff that teach me how to code," he said. "What can I say? I like
virii, I'm a collector and also a writer."

But most virus writers divide into two categories: vandals and
fame-seekers, said Steve Gottwals of anti-virus firm F-Secure. Virus
authors are almost all males, from their teens into their 30s, he said.
Seeking fame among their own community, many never release their viruses
into the public realm, choosing to send them directly to antivirus firms
so they can see their programming prowess touted on antivirus Web sites.

[K] has said previously that he doesn't release his viruses into the

"It's not an accident that he made a tool, and out of all the things that
a tool can do, it creates worms," Zimski said. "It's a way of getting
attention ... you are creating something that is dangerous and is very
powerful, and that's a lot more sexy than creating something that is

Harsh Words for Antivirus Firms

[K] had harsh words for antivirus companies, most of whom rely on
"signatures"  telltale chunks of computer code  to identify viruses.
Because [K]'s kit can create a wide variety of different worms encrypted
in different ways, the results slip through much antivirus software,
Kroll said.

"I don't think [antivirus companies] are doing anything good. Their way
of working sucks; action-reaction is really bad for users who paid for
expensive software," [K] said. "The reactive actions don't work today,
when a virus can go around the globe in five hours."

Finjan's proactive solution is helpful, [K] said. The Israeli antivirus
firm checks for viruses by detecting suspicious behavior. The program
looks for code that acts like a virus rather than any particular virus
signature. F-Secure's Gottwals said Finjan's system can work with
traditional virus software to provide complimentary protection.

"They read the code and see what it does, not just check some parts of
the code. That's a good idea," [K] said.

[K] himself won't have to worry about prosecution, according to Mark
Rasch, a former cybercrimes prosecutor now working for Predictive
Systems. Argentina has no antivirus laws, he said.

Copyright  2001 ABC News Internet Ventures. Click here for Terms of Use
& Privacy Policy & Internet Safety Information applicable to the site.

||       | Stephen J. Cavrak, Jr.      [log in to unmask]
 |*     |  Assistant Director for
 |     /   Academic Computing Services Phone:  802-656-1483
 |    |    University of Vermont       Fax:    802-656-0872
 |   |     Burlington, Vermont 05405   North:  44o 28' 33"
 ----                                  West:   73o 12' 45"