My meeting with Anna

— 12:27 AM on February 13, 2001

Although Ronald touched on it earlier, I thought I'd pontificate about my lovely experience with the Anna virus. Damage did all his learning over the weekend, but I got mine as a Monday morning slap to the face.

At least I can say I wasn't one of the people who opened the e-mail; I just had to do clean-up. A couple of the charming things I learned: People are quick to open an e-mail that supposedly contains a single picture of Anna Kournikova, in spite of the fact that her name and the word "pictures" gets around 40,000 hits on Google. Heck, even with the addition of the all-important word "nude" there's 23,700. But I digress.

Another thing I learned is that Norton Anti-Virus for Exchange sucks rocks. It's served me well for a year or more, and when it works it works great. But the only thing it cares about are its virus definition files, and if the virus isn't in there yet, you're screwed. I sat depressed noting that (1) Trend Micro's Safemail product had its virus definitions updated at least a couple of hours before Symantec did and (2) it didn't matter because, unlike NAV, Safemail can just blanket filter attachments by extension. And when was the last time you got a .VBS file that wasn't a virus?

I learned some more things courtesy of this article on the virus. I learned that the virus was actually fairly clever, but the virus author was not. The virus code is encrypted and modifies itself to dodge detection. The author, however, apparently had little to do with the virus except for naming it, as it was actually built by a pre-existing virus construction kit (I am not making this up). According to the article, the kit's author has done no fewer than nine versions of the kit, with "the most recent one apparently guaranteed to dodge antiviral programs."

I also learned, incidentally, that Graham Cluley of the antiviral firm Sophos doesn't seem to have much in the way of social skills, having quotes attributed to him in the article such as "Think about the average guy who uses a computer — overweight, slobbing around in front of a terminal, sad social life. . ." Don't take it personally, guys.

One thing I didn't learn in the article: If this virus was built using a virus construction kit that's been sitting out on a web site just waiting for somebody to fire it up, and if anti-virus companies ". . . are aware of at least a half-dozen VBS script viruses created using [Alamar's] construction kit," then why don't the people doing virus definitions figure out how to detect the kit's product before it's found in the wild? I'd ask Anna, but I hope never to meet her again.

Tip: You can use the A/Z keys to walk threads.
View options

This discussion is now closed.